Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by IET, The Royal Academy of Engineering and BCS, the Chartered Institute for IT (Malware 11)

Please find attached a response to the House of Commons Science and Technology Select Committee inquiry on Malware and Cyber Crime. This response represents the views of BCS, The Chartered Institute for IT, the Institution of Engineering and Technology (IET) and the Royal Academy of Engineering.

We note that the Government Cyber Crime Strategy will be published later this month. We would be willing to comment on this strategy once published, as a supplement to the response attached.


1.  What proportion of cyber-crime is associated with malware?

We believe that a definitive answer cannot be given. The true extent of the cyber-crime problem goes unreported and unrecorded. Authoritative data has yet to be collected and collated from responsible bodies such as the Serious Organised Crime Agency (SOCA) and the Police National E-Crime Unit. We are cautious about recommending "industry" figures as we believe that in many cases the figures are debatable and in some instance self-serving.

Even with a precise definition of cyber crime or of malware, security researchers cannot do more than guess at statistics by extrapolating from tiny populations. In May 2010, it was generally accepted in the anti-malware research community that there were around 43 million known malicious programs (evidenced by several presentations at the Computer Anti-virus Researcher's Organisation (CARO) workshop in Helsinki). ESET (an antivirus company) claims that as many as 200,000 unique samples of malware can be seen per day. It is hard to be specific however, due to the fact that estimates vary widely from company to company.

It is generally argued that malware is used either directly or indirectly in a significant proportion of cyber crime. A very high proportion of cyber crime has some sort of connection with malware, with most crime being fuelled by botnets (spam, phishing, malware distribution, Distributed Denial of Service (DDoS), fake antivirus (AV), captcha breaking, click fraud etc). Malware can be utilised in various and different forms. It can range in complexity from a simple open proxy to an advertisement delivery platform, to something quite advanced such as a self-propagating malware delivery system. Malware has increased in complexity, sophistication and volume, making it more difficult to quantify.

The banks and law enforcement agencies are best placed to provide a more definitive answer on what proportion of cyber crime is associated with malware. Bank customers are asked to report instances of cyber crime to their bank rather than directly to the police; however the banks are said to have an incentive to treat many reports as the fault of their customer and not as crime. Police figures are therefore likely to be lower than the real numbers.

We would like to point out that there is likely to be a substantial increase in cyber crime as more financial transactions are carried out on mobile phones, which are much more vulnerable and virtually unprotected from malware.

2.  Where does the malware come from? Who is creating it and why?

The usual intention of a malware user is to compromise and potentially control as many systems as possible. Usually malware is created by intelligent individuals who desire either financial advantage, fame or power - power gained from control or the fame gained from being an international cyber criminal. A significant proportion of malware is said to come via emails, mainly through attachments.

The usual sources include organised crime, hackers, and activists; reasons include status, disruption, dissidents, military, business espionage, theft, financial gain and global terrorism.

There are six notable groups associated with the use of malware:

(i)  "Script kiddies" exploit code developed by others and pretend that they are hackers. They are sually only able to attack very weakly secured systems.

(ii)  Criminals—Criminals work individually or within increasingly professional organisations and are responsible for credit card fraud and other theft activities. In economically challenged countries with high unemployment, graduates are tending to join these groups. In Russia, there are various groups using a notorious Internet Service Provider (ISP) which has been reported to host websites for illegal businesses. They use professional teams for their criminal objectives.

(iii)  Hacker groups—These groups usually work anonymously and develop tools for hacking. They may hack computers for no criminal reason, often to just show their presence. Hacking can also provide a route to employment, with companies often hiring hackers to test their security.

(iv)  Insiders—Although they represent only 20% of the threat, they produce 80% of the damage to the systems. These attackers are considered to be the most dangerous group. It is very difficult to identify them as they reside inside an organisation, working as authorised users. Their motives may be criminal or personal.

(v)  Political/religious/commercial groups—These groups are not usually interested in financial gain. Governments can deploy considerable resources and technical expertise to develop malware for political ends. The Stuxnet worm for instance, which attacked Iran's nuclear enrichment facilities, was believed to be developed by a foreign government. Malware is said to be also used by commercial companies with the intention of stealing the IPR from their competitors.

(vi)  Advanced Persistent Threat (APT)/nation state—This term has been used for some time in government and military domains to describe targeted cyber attacks carried out by highly organised state-sponsored groups, with deep technical skills and computing resources.

Regional variations

Regional variations have been observed in the use of malware. African malware use tends to involve non-technical fraud. Russia and Latin/South America tend to be associated with malware relating to banking/financial fraud and phishing. Russia and Eastern Europe have highly organised gangs devoted to a whole economic framework related to cyber crime, from money laundering to credit card credentials to malware distribution.

3.  What level of resources is associated with combating malware?

We believe that considerable resources are needed to combat malware. Malware prevention is thought to be a significant expense and drain on resources. Ensuring that all AV, (Anti Virus) signatures are up-to-date is often a full time job for an individual or team depending on the size of the organisation that is being served. It is reported that the United States federal agencies spend about $100 million a year on combating cyber crime through the Federal Bureau of Investigation (FBI), Secret Service, National Cyber-Forensics & Training Alliance (NCFTA), Department of Homeland Security (DHS). Large web services firms like Google and Microsoft are thought to spend in the order of $100 million a year each on cyber crime prevention, with smaller firms like PayPal and Yahoo spending in the tens of millions.

We believe that it is impossible to provide a complete defence against malware. It is only possible to provide an effective defence for known vulnerabilities for which that the vendor has supplied a security patch. AV software is only partially effective in detecting malware on a data channel that the software is monitoring. There is no defence against malware that is exploiting vulnerabilities that are only known to the attacker (or malware writer). This means that even with vast resources, an organisation cannot guarantee 100% effectiveness in the detection and elimination of malware attacks.

We have identified five distinct resource types:

(i)  Development resources are used to design and implement security in a system as it is being built.

     On 15 January 2002, Bill Gates, the chairman of Microsoft, informed all employees that security was a top priority, changing the company's strategy. It took Microsoft until 25 August 2004 to make its PC operating system secure, when it released Service Pack 2 for Windows XP. The first PC operating system that was built with security in mind was not until 30 January 2007 when Windows Vista was released, some five years after the company's strategy was changed. Microsoft released Windows 7 on 22 October 2009 which made significant improvements in the security of the product over previous versions. However, there are still vulnerabilities in Windows 7.

     Microsoft is the exception. Most vendors of software tend not to incorporate security into their products, as they see the cost as an overhead, with no commercial advantage to them. For example, Adobe found its products targeted in 2010-11, particularly Adobe Reader and Flash, which forced them to have to release out-of-cycle security to address vulnerabilities that were actively being exploited.

(ii)  Research resources are the resource required to find and identify the vulnerability in a system, whether it is being actively exploited at present or not.

     Responsible researchers who have identified vulnerabilities in a system inform the vendor, and allow the vendor time to fix the vulnerability. Malware writers do not inform the vendor of the vulnerabilities they are exploiting. Malware that is exploiting an unknown vulnerability has to be reversed-engineered, which is a highly skilled job and resource intensive.

     To fully analyse a specific piece of malware may take weeks or months depending on its level of sophistication. For example, the Stuxnet worm is still being analysed six months after the original detection.

(iii)  Vendor resources (which also apply to systems developed internally) are those resources required to develop and test a security patch to help with the detection of vulnerabilities.

     Vendors who become aware of security vulnerabilities in their products have to develop a security patch that will prevent the malware exploiting that particular vulnerability. However, the vendor has to ensure that the patch does not break any of the existing functionality of the system. The vendor may have to divert resource away from developing new products to developing and testing a patch for the vulnerability.

Individual resources are those employed by an individual to maintain their own system in a good state to defend against malware.

     The resources that individuals have to deploy require some technical knowledge. Security patches have to be deployed in a timely manner, and many people simply do not understand the importance of doing so. AV has to be installed, which will then update with the latest AV signatures. We would welcome any initiatives that would help to educate users about the dangers of opening suspicious emails, for instance, the risks associated with opening attachments without scanning them first.

(v)  Organisation resources are the resources of organisations (government department/agency, commercial organisation, or charitable organisations) used to maintain their systems in a good state in order to effectively defend against malware attacks.

     The costs are significant as security patches must be tested before they are deployed. If there is inadequate testing, then the system may no longer work after the patch has been deployed. If the testing takes too long, then the system can become infected with malware before the patch is deployed. To perform effective testing requires that test scripts are developed that enable automated testing to be performed. While the test system does not need to be identical to the live system, it does need to be a realistic representation of the live system to enable valid tests to be performed. This requires significant outlay in resources to develop the test scripts, and to have the infrastructure in place for the test systems.

     While a large organisation can afford to invest in systems, scripts and resources to carry out testing and analyse the test results, this is not realistic for individuals, who must rely on the testing performed by the vendor. Individuals do not have the expertise to monitor for suspicious activity, although this would improve with the provision of educational initiatives, as mentioned in section iv.

4.  What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

There are no authoritative statistics. The proportion of infected PCs is variously estimated to be in the 1-15% range; 5% might be a conservative estimate. It has been reported that hostile cyber attacks on companies accounted for nearly one third of all UK data breaches in 2010 - up from around 22% the year before, with incidents becoming increasingly expensive.

A survey by the Ponemon Institute found that the cost of a data breach rose in 2010 for the third year running. The average data breach incident cost UK organisations £1.9 million or £71 per record, an increase of 13% on 2009, and 18% on 2008. The incident size ranged from 6,900 to 72,000 records, with the cost of each breach varying from £36,000 to £6.2 million. The most expensive incident increased by £2.3 million compared to 2009.

Impact to individuals

The impact to the individual from a successful malware infection is varied, but can be very significant. Examples include:

(i)  The PC becomes part of a Botnet (maybe thousands or tens of thousands of individual computers), which is then used by criminals to distribute Spam email to others, or to launch a denial of service attack against an organisation. Botnets are increasingly rented out for criminal purposes. The owner of the PC may only suffer a loss in performance of their PC, or they may be accused of committing a criminal offence.

(ii)  The malware may be used to extract useful information that may be stored on the PC, which could include personal details, bank details etc. For example, the government outlined in December 2010 that it had been a victim of the Zeus malware, with undisclosed loss of sensitive information. The loss of information can have serious consequences for the individual concerned, not only financial loss, but could affect their relationships with others or cause the loss of irreplaceable records such as personal photographs.

(iii)  The PC may be used to host illegal content. For example, child pornography. The owner of the PC is then open to being accused of knowingly hosting the illegal content.

The cost of malware infection is very high. Whilst there are some solutions, they tend to be part of a portfolio, which can be expensive. The cost to individual PC users is reported to be in the tens of pounds/dollars and euros per year in terms of AV expenditure. Furthermore, it is claimed that up to two million people or 4% of the English population are said to become victims of fraud each year. Cleaning up infected corporate networks may cost tens of millions of pounds and take a team of people several months.

Industry effectiveness

By and large, industry is not effective in defending against malware attacks. Many vendors still do not take security seriously. What we are seeing is an arms race, with the malware writers always being one step ahead of the defenders. To quote from a Virus Bulletin article (1 Feb, 2011):

"In the mid 90s we were in a position where we could accurately count the number of viruses that had been seen. This was possible for several reasons:

(i)  The number of new viruses was small enough for each sample to be identified and analysed in detail.

(ii)  It was easy to determine which part was virus and which part was the infected application.

(iii)  The size and complexity of the malware was quite limited."

In 2011, the situation is completely different, with a large variety of malware out on the internet (new variants of a particular malware are produced every day or so). Malware threats have increased in complexity.

AV software vendors have varying degrees of effectiveness at detecting known malware threats. Some large vendors have effectively stopped developing their product five years ago, so may only be 50% effective at detecting known malware.

5.  Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

All malware is in breach of the Computer Misuse Act 1990 and therefore a criminal activity. Malware therefore needs to be viewed in the same way as any other criminal offences. Human disease, in contrast, is natural and may be unavoidable. This is not the case for malware and as such the Government needs to be instrumental in tracing those responsible and prosecuting them accordingly. The biological analogies (virus, worm) should not be stretched to imply that similar control mechanisms would be effective in the cyber domain.

According to the Cabinet Office—see

"The Cost of Cyber Crime" report reveals that whilst government and the citizen are affected by rising levels of cyber crime, at an estimated £2.2 billion and £3.1 billion cost respectively, business bears the lion's share of the cost. The report indicates that, at a total estimated cost of £21 billion, over three-quarters of the economic impact of cyber crime in the UK is felt by business.  In all probability, and in line with worst-case scenarios, the real impact of cyber crime is likely to be much greater.

We therefore believe that the Government should help tackle the spread of malware, to reduce the impact on the UK economy.

We also believe that the Government needs to provide incentives to businesses to protect individuals against such losses. At present, it is not considered a commercial imperative among many organisations.

The Government should consider the following when developing a cyber crime strategy:

(i)  Education—The website provides good advice on security. We would encourage the Government to increase the level of advice it provides to the public about security, in order that people do not remain ignorant about the issues of information security. Users need to be educated in information security to ensure that they are able to effectively protect themselves. The best security systems can be defeated by a user who wilfully and ignorantly overrides them (eg when they are the target of Phishing and Spear Phishing attacks, which dupe people into entering personal data into fake websites). We would again argue that more resources should be given over to explaining the basic security facts and the importance to individuals and industry. Basic lessons in the safe use of computers should be provided regularly to schoolchildren throughout their schooling, starting in primary school, in view of the reducing age at which children become active and vulnerable users of computers and mobile devices.

(ii)  Government contracts—It is important that the UK Government leads by example. The Government could consider deploying products where the vendor of the product has actively designed security into the product. As in the case of Microsoft, this is not a simple tick-in-a-box exercise, but requires considerable effort to achieve properly. Security has to be designed into the product from the start, and cannot be added on at a later date.

     The Government is a large buyer of ICT systems. Consequently, it can have an impact on the marketplace. The Government could have significant influence if a list of more secure products was published. This could result in increased security provision by individuals and organisations, who look to the Government to provide advice.

     Furthermore, the Government needs to ensure that its contracts ensure that its own systems are maintained in a secure state. Contracts need to outline which systems should be patched (all should be patched, in our view) and the frequency of patch deployment.

(iii)  Legislation—Criminals operate in many different jurisdictions, making it difficult to prosecute them.

     There are very few convictions under current legislation. Developing malware, and installing malware onto computers, are offences which should be punished with penalties proportionate to the losses caused.

     Legislation would also need to make it clear that researchers and vulnerability and penetration testers, who have a contract in place to perform such testing, are not committing an offence.

(iv)  International relationships—The UK Government needs to encourage other countries to establish appropriate legislation that enables the successful prosecution of criminals who are committing cyber crime. Sanctions also need to be imposed on countries that are harbouring cyber criminals.

     There needs to be cooperation between countries on cyber crime. While for some serious crimes such as child pornography, there is cooperation, there is not the same level of cooperation for less serious offences. The cost to the UK economy is estimated at £21 billion a year by the Cabinet Office (see above), with the majority of criminals based outside the UK. The UK cannot solve this problem on its own. It needs the cooperation of other countries to eliminate the threat.

6.  How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

We are unclear on the detail of the Government's strategy toward cyber crime associated with malware. We do, however, strongly believe that it is the responsibility of the government to try and prevent cyber crime.

We would like to see renewed focus by the Government in preventing exploitation of its core departments by its competitors overseas and lead by example. We would also argue that the police need to be better resourced to combat cyber crime, and to ensure that all criminal malware use is prosecuted. This will need to be done in conjunction with any educational initiatives that ensure individuals and organisations are aware of malware threats and the importance of security provision.

7 September 2011

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012