Select Committee on Science and Technology Minutes of Evidence

Memorandum by MessageLabs

  Addressing the security issues affecting private individuals when using the Internet is crucial to building and maintaining a stable and successful online economy in the UK. The current rapid growth and convergence of spam, viruses and spyware threats has shown the priority given by the Select Committee to these issues to have been particularly timely and prescient.

  Only through efficient and proportionate responses to the threats presented by spam and viruses, will citizens overcome their online security fears and grasp the opportunities offered by the Internet. It is therefore important to understand the nature of the very latest online threats, and that any possible doubts regarding privacy aspects of filtering technology be addressed in as comprehensive a way as possible.

  As the world's leading provider of third party filtering for spam and viruses, MessageLabs has been privileged to be involved in numerous consultations on this and related network security issues, both in the EU and US and also through the OECD.


  The very latest security threat that MessageLabs has been tracking is also perhaps one of the most significant threats in recent years; namely, that of the "targeted trojan". Each targeted trojan is a "one off", a unique piece of malware created with the express intention of breaching a single organisation or even an individual, for stealing personal data, intellectual property or other sensitive information. Since such trojans are "one offs" the probability of them ever making it onto the radar of the broader security community are practically zero. Each targeted trojan is deployed to a limited number of carefully selected targets, typically one attack, comprising of around 7 emails per day are intercepted by MessageLabs, an increase from one attack every two to three days. However, traditional anti-virus security companies can only safeguard against the threats that they know, and have little chance of protecting against a genuinely new virus or trojan.

  Over the past three years, almost all viruses and spyware have been created for commercial and criminal gain. These viruses are continually being used to create robot-networks ("botnets") of compromised PCs around the world, and these are in turn harnessed by the online criminals for hire by spammers and other unscrupulous networks. Botnets may be used to attack online businesses using a co-ordinated "distributed denial of service" attack, or may equally be used to send millions of spam emails per hour, from each individual PC, using what is known as a "spam cannon" or essentially the spammer's equivalent of a distributed mail-merge, on a grand scale.


  In September 2006, the global ratio of spam in email traffic from new and unknown bad sources, for which the recipient addresses were deemed valid, was 64.4 percent (1 in 1.55 emails), a decrease of 0.1 percent on the previous month. This figure of 64.4 percent is actually a lower than the "true" spam figure. In early 2005, MessageLabs deployed an additional layer of defence at its network perimeter, known as Traffic Management. This enables us to control the amount of bandwidth that we give to absolutely known bad-sources of spam, and then to throttle those connections, slowing them down to a crawl so that to the spammer, they appear to be talking to a very slow modem. Consequently, many such connections eventually "time-out" or move on to softer targets. If we look at the amount of spam hitting our honey-pots, which are unprotected by comparison, this figure would be much closer to 82.1 percent.

  In recent weeks, MessageLabs has noticed an increase in the number of spam emails that use "techno-babble" usually only associated with particular technology strands as a means of social engineering. Not only do messages with enticing subject lines, such as "Bug £33006: Your review is necessary," find their way into programmers' inboxes, but there is also a suggestion that these emails may be deliberately targeted so as to be appealing to these particular groups. In another twist, the "geek" demographic seems to be particularly susceptible to this type of spam, in that the Bayesian filters so often employed by such techies can be easily polluted with technology buzzwords secreted into the body of the spam, such as ".NET" "CPAN" "XSS" "Java" etc.


  The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources destined for valid recipients, was 1 in 89.6 emails (1.12 percent) in September, an increase of 0.1 percent since last month.

  In 2006, MessageLabs has also seen a marked shift in the way online criminals are distributing their malware, in that the proportion of executable-type attachments has declined. This has given way to more social engineering attacks, like phishing.

  The convergence of emails threats and the web as a medium have led to an increase in the number of emails containing links to websites hosting malicious software. The malicious website then becomes the vehicle by which the malware is installed onto victims' computers.

  This is highlighted in the charts below:


  A "Botnet" is a collection of compromised computers around the world, infected with trojan horses, or backdoor software, and united by a common command and control infrastructure. A botnet's controller ("bot herder") can control the group remotely, en masse. It can be seen from the following table that bots are increasing in number and distribution:

  This shows that over the last two quarters in 2006, the UK has remained fifth in the top-ten list of botnet-infected regions. However, it is encouraging to note that the percentage of botnet-infected computers in the UK has dropped by 0.4 percent.

  This percentage representing the proportion of "bots" worldwide, ie 134,400 estimated computers in the UK are currently participating in a botnet of some kind. Botnet computers are typically high-bandwidth (DSL connected) home computers, with little or no protection in place.


  September 2006 showed a large increase of 0.27 percent in the proportion of phishing attacks compared with the previous month. One in 170 (0.59 percent) emails was some form of phishing attack. When judged as a proportion of all email-borne threats such as viruses and trojans, the number of phishing emails has risen by 21.7 percent. Phishing attacks accounted for more than half (52.4 percent) of all malicious emails intercepted by MessageLabs in September.

  Phishing attacks continue to become more targeted as more criminal groups shift their attention from creating malware to conducting phishing attacks. The nature of these attacks has also changed in recent months, as the main organisations now being targeted have become those banks that have not currently deployed any two-factor authentication security measures. The approach undertaken by some banking organisations has indirectly resulted in a huge increase in the phishing attacks directed against those banks that may be delaying implementation or still investigating such technology. Those banks that have deployed this technology are still being subjected to attacks, but on a much lesser scale.

  These increased attacks were also a prelude to the release of Microsoft Internet Explorer 7.0, which was launched in October. IE7 includes additional anti-phishing countermeasures. Already, MessageLabs has seen examples of specially crafted bank trojans that are being sold on the Internet, which can be customised for as little as US $800 to target any online banking website. The trojan approach works by monitoring browser addresses and when the victim visits a target site, the trojan will wait for the user to complete the authentication process before hijacking the session and handing control to the criminals.


  In the table below it can be seen that the most common trigger for policy-based filtering, applied by MessageLabs for its business clients, is Advertisements & Popups (90.1 percent).

  The "Unclassified" category identifies new and previously uncategorised sites that may potentially need to be prohibited. The "Unclassified" category affords more confidence when defining new rules, which means that newly detected malicious sites may be handled more appropriately until categorised, thereby safeguarding against sites which appear and disappear within a 24 to 48 hour timeframe; such sites may be used for disreputable purposes, such as hosting phishing and spam sites, information stealing trojans and other fraudulent activities.

  Analysis of web security activity also shows that 99.7 percent of interceptions occur as the result of a rule triggered by a policy, which has been implemented by a system administrator. However, 0.3 percent of interceptions are also the result of malware or potentially unwanted programs, including adware and spyware that was detected heuristically by MessageLabs.


  In the short-term, a high-degree of vigilance can prevail against some of the more contemporary attacks, but only for so long. As cyber criminals become more organised and highly developed, attacks are becoming more targeted, using social engineering to bypass technological barriers. Even the most cautious amongst us may fall prey to such an attack; curiosity in humans, as in cats, can have a very powerful and dangerous influence—sometimes overtaking any consideration for safe computing practices. Accordingly, businesses and individuals alike must consider the primary conduit through which these threats flow in order to mitigate them effectively.

  To do this securely, the principal security defences should be concentrated on these ingress points rather than at the desktop—where often it can already be too late when a breach occurs. Taking this to another level, protocol independent defensive countermeasures woven into the fabric of the internet itself will become the key component of any services-orientated solution. In the same way, domestic broadband connections are the most heavily abused in terms of botnet dispersion, and in turn home users will be looking to their ISP to provide solutions at the Internet level itself.

  Over time, legislation and enforcement in this area will improve and through greater international co-operation and co-ordination it will become much more difficult for the cyber criminals to exploit the differences in cross-border jurisdiction. However, this is fundamentally a technical problem and as such will always require a technical solution, first and foremost, and by addressing the problem "in the cloud" at the Internet level, it is taking the fight one step closer to the criminals.

23rd October 2006

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007