Malware and cyber crime - Science and Technology Committee Contents


Written evidence submitted by the Australian Institute of Criminology (Malware 19)

BACKGROUND

1.  In July 2011, the House of Commons Science and Technology Committee chaired by Andrew Miller MP launched a new inquiry into the impact of malware on individuals, the responsibilities of Government to aid in the prevention of malware infections, and the economy that has grown up around this industry. The Australian Institute of Criminology (AIC) welcomes the opportunity to contribute to the current Inquiry.

2.  The AIC is Australia's national research and knowledge centre on crime and justice. It seeks to promote justice and reduce crime by undertaking and communicating evidence-based research to inform policy and practice. The AIC conducts research on a wide range of crime-related subjects, including cybercrime.

3.  The material in this document is provided by the AIC in response to the House of Commons Science and Technology Committee's inquiry into malware and cybercrime.

SUBMISSION DETAILS

Introduction

4.  This submission provides information arising from AIC research that is applicable to the Inquiry's terms of reference. This submission also outlines action currently being taken by the Australian Government in response to the malware threat.

5.  Malware, or malicious software, includes viruses, worms, keyloggers, spyware, trojans and botware (see definitions in Table 1). Potential outcomes of malware infection include account names and passwords being compromised, which may lead to fraudulent activity; files being accessed and copied; and corruption of hardware or software resulting in computer downtime or a slowed computer network (Furnell, 2010). Botware may also result in the infected computer being used as part of a botnet, a network of compromised machines, which, among other things, can be harnessed to send spam, facilitate phishing and click fraud, host illegal data, disseminate other malware and conduct distributed denial of service attacks (Choo, Smith & McCusker, 2007). Denial of service (DoS) attacks involve overloading a website or computer system so that legitimate access is blocked. When using botnets this is known as a Distributed Denial of Service, or DDoS, attack (Grabosky, 2007).

Table 1

MALWARE DEFINITIONS
NameDefinition
VirusA self-replicating program that is spread by opening infected files and uses up available memory
WormA self-replicating program that spreads automatically and uses up available memory
KeyloggerA program that records users' keystrokes
SpywareA program that can monitor computer activity
TrojanMalware disguised as legitimate software, such as a game
BotwareA program that connects a computer to a botnet and enables it to be controlled remotely

Source: Grabosky, 2007.

1.  What proportion of cybercrime is associated with malware?

6.  In 2008, the AIC commissioned the Australian Business Assessment of Computer User Security (ABACUS) survey, a randomised survey of small, medium and large businesses from a range of industry sectors and from all Australian states and territories. This survey examined the prevalence and nature of computer security incidents experienced by businesses in the 2006-07 financial year, the areas in which business systems were vulnerable to such incidents and the cost, types and effectiveness of approaches Australian businesses used to prevent them (Richards, 2009). The survey was weighted according to industry type and business size so that the data provided by each participant was proportionate in relation to the broader population being sampled. Challice (2009) provides an overview of the research methodology.

7.  During 2006-07, 14% of businesses reported having experienced one or more computer security incident (Richards, 2009). Of these, 83% experienced one to five incidents, 8% experienced six to 10 incidents and nine percent experienced more than 10 incidents (Richards, 2009). The number of computer security incidents experienced, by business size, is depicted below in Figure 1.

Figure 1

NUMBER OF COMPUTER SECURITY INCIDENTS EXPERIENCED, BY BUSINESS SIZE (%)

Note: n=3,620. Excludes 307 businesses with no information technology and 74 missing answers (61 from small, 12 from medium, one from large businesses).

Source: Richards, 2009.

8.  The most prevalent type of incident was infection by a virus or other malicious code, which was reported by 64% of ABACUS respondents that had experienced a computer security incident. The second most prevalent incident involved spyware, reported by 44% of victimised respondents. DoS attacks, which often involve the use of botnets, were experienced by four percent of respondents reporting a computer security incident. Figure 2 below provides an overview of the types of computer security incidents experienced, by business size.

Figure 2

TYPES OF COMPUTER SECURITY INCIDENTS EXPERIENCED BY VICTIMISED BUSINESSES, BY BUSINESS SIZE (%)


Note: n=781. Excludes 307 businesses with no information technology, 2,881 businesses that experienced no computer security incidents and 31 missing answers (25 from small, six from medium, less than one from large businesses).

Source: Richards, 2009.

2.  Where does the malware come from? Who is creating it and why?

9.  Common ways that computers become infected with malware include visiting websites or opening email attachments (Furnell, 2010).

10.  Malware is commonly traded online, using black market portals. Hutchings (in progress) has conducted qualitative interviews with computer crime offenders and police officers investigating hacking and computer fraud offences. This research indicates that these portals are also used to trade in compromised data, to learn and teach others about vulnerabilities and to trade in particular skill sets. In addition, portals were found to offer a number of advantages to offenders. For example, they allow for anonymous communication, and access can be controlled to minimise law enforcement infiltration. Some countries have poor reputations for responding to online crimes; however it can be difficult to determine country of origin as offenders are likely to hide behind open proxy servers (Hutchings, in progress).

3.  What level of resources are associated with combating malware?

11.  The ABACUS survey asked the respondents which anti-fraud and malware tools had been used during the 2006-07 financial year. Anti-fraud tools included anti-spam filters (used by 64% of participants) and anti-phishing software (used by 34% of respondents), while malware tools included anti-virus (used by 85% of participants) and anti-spyware software (used by 59% of participants). Overall, 88 percent of businesses with information technology reported using some type of anti-fraud or anti-malware tool. The proportions of small, medium and large businesses that reported using each of these computer security tools is shown below in Figure 3.

Figure 3

BUSINESSES' USE OF ANTI-FRAUD AND MALWARE TOOLS, BY BUSINESS SIZE (%)


Note: n=3,658. Excludes 307 businesses with no information technology and 36 missing answers (34 from small, two from medium businesses).

Source: Richards, 2009.

12.  Respondents were asked to estimate their total information technology security expenditure for the 2006-07 financial year. Table 2 below shows the median, mean and range for total information technology expenditure by business size. It was estimated that in Australia between AUD$1.37 billion and AUD$1.95 billion is spent by businesses on computer security each year (Richards, 2009).

Table 2

TOTAL INFORMATION TECHNOLOGY SECURITY EXPENDITURE, BY BUSINESS SIZE (AUD$)
Business sizeMedian* MeanMinimum Maximum
Small200992 0150,000
Medium2,0007614 0300,000
Large10,00038,474 0750,000
Businesses overall250 1,8300750,000

*Medians are only estimates, due to the use of weighted data.Note: n=3,330. Excludes 307 businesses with no information technology and 363 missing answers.Source: Richards, 2009.

4.  What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

13.  Almost half (47%) of business respondents to the ABACUS survey who reported one or more computer security incidents identified viruses, malicious code and spyware as causing the greatest financial loss, and 57% identified these incidents as being the most significant (Richards, 2009). Negative outcomes were reported by 77% of businesses following the most significant computer security incident, these included:

—  corruption of hardware or software (40%);

—  corruption or loss of data (31%);

—  unavailability of service (38%);

—  website defacement (2%);

—  theft or loss of hardware (6%);

—  theft of business, confidential or proprietary information (5%);

—  non-critical operational losses (25%);

—  non-critical financial losses (12%);

—  harm to reputation (4%);

—  critical operational losses (4%);

—  critical financial losses (4%); and

—  other (1%) (Richards, 2009).

14.  When a computer security incident occurred, the average loss to a business was AUD$4,469 (Richards, 2009).

5.  Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

15.  The Australian Government responds to malware in a variety of ways. For example, in accordance with the Australian Internet Security Initiative (AISI), the Australian Communications and Media Authority (ACMA) identifies computers infected with botware and informs the relevant internet service provider (ISP). The ACMA identified 4,093,436 compromised computers in the 2009-10 financial year, an average of 11,215 per day (ACMA, 2011).

16.  It is estimated that over 90 percent of Australian home internet users are customers of the 82 ISPs participating in the AISI (ACMA, 2011). When these ISPs have been informed by the ACMA that a customer's computer has been infected with botware they can select from a range of responses as set out in the voluntary icode. These options include:

(a)  contacting the customer directly (by phone, email or SMS or other means);

(b)  regenerating the customer's account password to prompt customers to call the helpdesk so they can be directed to resources to assist;

(c)  applying an "abuse" plan where the customer's Internet service is speed throttled;

(d)  temporarily quarantining the customer's service, for example by holding them within a "walled garden" with links to relevant resources that will assist them until they are able to restore the security of their machine;

(e)  in the case of spam sources, applying restrictions to outbound email (simple mail transfer protocol—SMTP); and/or

(f)  such other measures as determined by the ISP consistent with their terms of service (Internet Industry Association, 2010).

17.  CERT Australia is Australia's official national computer emergency response team. It also provides a direct response to malware by identifying account details that have been obtained using malware, and advises the relevant organisations when their customers' account details have been compromised so that appropriate action can be taken. CERT Australia detected over 250,000 compromised accounts during the period of September 2010 to February 2011 (McClelland, 2011). CERT Australia advises that this is an area of ongoing work and that the figure has significantly increased since this time.

REFERENCES

Australian Communications and Media Authority 2011. Annual Report 2009-10. Melbourne: Commonwealth of Australia.http://www.acma.gov.au/WEB/STANDARD/pc=PC_312295

Challice G 2009. The Australian Business Assessment of Computer User Security (ABACUS) survey: Methodology report. Technical and background paper series no. 32. Canberra: Australian Institute of Criminology.http://www.aic.gov.au/publications/current%20series/tbp/21-40/tbp032.aspx

Choo K-K R, Smith R G & McCusker R 2007. Future directions in technology-enabled crime: 2007-09. Research and public policy series no. 78, Canberra: Australian Institute of Criminology.http://www.aic.gov.au/publications/current%20series/rpp/61-80/rpp78.aspx

Choo, K-K R 2010. Cloud computing: Challenges and future directions. Trends and Issues in Crime and Criminal Justice series no. 400. Canberra: Australian Institute of Criminology.http://www.aic.gov.au/publications/current%20series/tandi/381-400/tandi400.aspx

Furnell, S 2010. Hackers, viruses and malicious software. In Y Jewkes & M Yar, Handbook of Internet Crime (pp. 173-193). Devon: Willan Publishing.

Grabosky, P 2007. Electronic Crime. New Jersey: Pearson Education Inc.

Hutchings, A J (in progress). Theory and Crime: Does it Compute? (Doctoral thesis). Mt Gravatt: Griffith University.

Internet Industry Association 2010. icode: Internet Industry Code of Practice. Manuka: Internet Industry Association.http://iia.net.au/images/resources/pdf/iiacybersecuritycode_implementation_dec2010.pdf

McClelland, R 2011. Australian Defence Magazine—Cyber Security Summit. Barton: Attorney-General's Department.http://www.attorneygeneral.gov.au/www/ministers/mcclelland.nsf/Page/Speeches_2011_ThirdQuarter_25July2011-AustralianDefenceMagazine-CyberSecuritySummit

Richards K 2009. The Australian Business Assessment of Computer User Security: A national survey. Research and public policy series no. 102. Canberra: Australian Institute of Criminology.http://www.aic.gov.au/publications/current%20series/rpp/100-120/rpp102.aspx

Urbas G & Choo K-K R 2008. Resource materials on technology-enabled crime. Technical and background paper no. 28. Canberra: Australian Institute of Criminology.http://www.aic.gov.au/publications/current series/tbp/21-40/tbp028.aspx

Dr Adam Tomison, Director (Chief Executive) of the Australian Institute of Criminology

Dr Rick Brown, Deputy Director (Research)

Ms Alice Hutchings, Research AnalystAustralian Institute of Criminology

8 September 2011


 
previous page contents next page


© Parliamentary copyright 2012
Prepared 2 February 2012