Memorandum by MessageLabs
Addressing the security issues affecting private
individuals when using the Internet is crucial to building and
maintaining a stable and successful online economy in the UK.
The current rapid growth and convergence of spam, viruses and
spyware threats has shown the priority given by the Select Committee
to these issues to have been particularly timely and prescient.
Only through efficient and proportionate responses
to the threats presented by spam and viruses, will citizens overcome
their online security fears and grasp the opportunities offered
by the Internet. It is therefore important to understand the nature
of the very latest online threats, and that any possible doubts
regarding privacy aspects of filtering technology be addressed
in as comprehensive a way as possible.
As the world's leading provider of third party
filtering for spam and viruses, MessageLabs has been privileged
to be involved in numerous consultations on this and related network
security issues, both in the EU and US and also through the OECD.
The very latest security threat that MessageLabs
has been tracking is also perhaps one of the most significant
threats in recent years; namely, that of the "targeted trojan".
Each targeted trojan is a "one off", a unique piece
of malware created with the express intention of breaching a single
organisation or even an individual, for stealing personal data,
intellectual property or other sensitive information. Since such
trojans are "one offs" the probability of them ever
making it onto the radar of the broader security community are
practically zero. Each targeted trojan is deployed to a limited
number of carefully selected targets, typically one attack, comprising
of around 7 emails per day are intercepted by MessageLabs, an
increase from one attack every two to three days. However, traditional
anti-virus security companies can only safeguard against the threats
that they know, and have little chance of protecting against a
genuinely new virus or trojan.
Over the past three years, almost all viruses
and spyware have been created for commercial and criminal gain.
These viruses are continually being used to create robot-networks
("botnets") of compromised PCs around the world, and
these are in turn harnessed by the online criminals for hire by
spammers and other unscrupulous networks. Botnets may be used
to attack online businesses using a co-ordinated "distributed
denial of service" attack, or may equally be used to send
millions of spam emails per hour, from each individual PC, using
what is known as a "spam cannon" or essentially the
spammer's equivalent of a distributed mail-merge, on a grand scale.
In September 2006, the global ratio of spam
in email traffic from new and unknown bad sources, for which the
recipient addresses were deemed valid, was 64.4 percent (1 in
1.55 emails), a decrease of 0.1 percent on the previous month.
This figure of 64.4 percent is actually a lower than the "true"
spam figure. In early 2005, MessageLabs deployed an additional
layer of defence at its network perimeter, known as Traffic Management.
This enables us to control the amount of bandwidth that we give
to absolutely known bad-sources of spam, and then to throttle
those connections, slowing them down to a crawl so that to the
spammer, they appear to be talking to a very slow modem. Consequently,
many such connections eventually "time-out" or move
on to softer targets. If we look at the amount of spam hitting
our honey-pots, which are unprotected by comparison, this figure
would be much closer to 82.1 percent.
In recent weeks, MessageLabs has noticed an
increase in the number of spam emails that use "techno-babble"
usually only associated with particular technology strands as
a means of social engineering. Not only do messages with enticing
subject lines, such as "Bug £33006: Your review is necessary,"
find their way into programmers' inboxes, but there is also a
suggestion that these emails may be deliberately targeted so as
to be appealing to these particular groups. In another twist,
the "geek" demographic seems to be particularly susceptible
to this type of spam, in that the Bayesian filters so often employed
by such techies can be easily polluted with technology buzzwords
secreted into the body of the spam, such as ".NET" "CPAN"
"XSS" "Java" etc.
The global ratio of email-borne viruses in email
traffic from new and previously unknown bad sources destined for
valid recipients, was 1 in 89.6 emails (1.12 percent) in September,
an increase of 0.1 percent since last month.
In 2006, MessageLabs has also seen a marked
shift in the way online criminals are distributing their malware,
in that the proportion of executable-type attachments has declined.
This has given way to more social engineering attacks, like phishing.
The convergence of emails threats and the web
as a medium have led to an increase in the number of emails containing
links to websites hosting malicious software. The malicious website
then becomes the vehicle by which the malware is installed onto
This is highlighted in the charts below:
A "Botnet" is a collection of compromised
computers around the world, infected with trojan horses, or backdoor
software, and united by a common command and control infrastructure.
A botnet's controller ("bot herder") can control the
group remotely, en masse. It can be seen from the following table
that bots are increasing in number and distribution:
This shows that over the last two quarters in
2006, the UK has remained fifth in the top-ten list of botnet-infected
regions. However, it is encouraging to note that the percentage
of botnet-infected computers in the UK has dropped by 0.4 percent.
This percentage representing the proportion
of "bots" worldwide, ie 134,400 estimated computers
in the UK are currently participating in a botnet of some kind.
Botnet computers are typically high-bandwidth (DSL connected)
home computers, with little or no protection in place.
September 2006 showed a large increase of 0.27
percent in the proportion of phishing attacks compared with the
previous month. One in 170 (0.59 percent) emails was some form
of phishing attack. When judged as a proportion of all email-borne
threats such as viruses and trojans, the number of phishing emails
has risen by 21.7 percent. Phishing attacks accounted for more
than half (52.4 percent) of all malicious emails intercepted by
MessageLabs in September.
Phishing attacks continue to become more targeted
as more criminal groups shift their attention from creating malware
to conducting phishing attacks. The nature of these attacks has
also changed in recent months, as the main organisations now being
targeted have become those banks that have not currently deployed
any two-factor authentication security measures. The approach
undertaken by some banking organisations has indirectly resulted
in a huge increase in the phishing attacks directed against those
banks that may be delaying implementation or still investigating
such technology. Those banks that have deployed this technology
are still being subjected to attacks, but on a much lesser scale.
These increased attacks were also a prelude
to the release of Microsoft Internet Explorer 7.0, which was launched
in October. IE7 includes additional anti-phishing countermeasures.
Already, MessageLabs has seen examples of specially crafted bank
trojans that are being sold on the Internet, which can be customised
for as little as US $800 to target any online banking website.
The trojan approach works by monitoring browser addresses and
when the victim visits a target site, the trojan will wait for
the user to complete the authentication process before hijacking
the session and handing control to the criminals.
In the table below it can be seen that the most
common trigger for policy-based filtering, applied by MessageLabs
for its business clients, is Advertisements & Popups (90.1
The "Unclassified" category identifies
new and previously uncategorised sites that may potentially need
to be prohibited. The "Unclassified" category affords
more confidence when defining new rules, which means that newly
detected malicious sites may be handled more appropriately until
categorised, thereby safeguarding against sites which appear and
disappear within a 24 to 48 hour timeframe; such sites may be
used for disreputable purposes, such as hosting phishing and spam
sites, information stealing trojans and other fraudulent activities.
Analysis of web security activity also shows
that 99.7 percent of interceptions occur as the result of a rule
triggered by a policy, which has been implemented by a system
administrator. However, 0.3 percent of interceptions are also
the result of malware or potentially unwanted programs, including
adware and spyware that was detected heuristically by MessageLabs.
In the short-term, a high-degree of vigilance
can prevail against some of the more contemporary attacks, but
only for so long. As cyber criminals become more organised and
highly developed, attacks are becoming more targeted, using social
engineering to bypass technological barriers. Even the most cautious
amongst us may fall prey to such an attack; curiosity in humans,
as in cats, can have a very powerful and dangerous influencesometimes
overtaking any consideration for safe computing practices. Accordingly,
businesses and individuals alike must consider the primary conduit
through which these threats flow in order to mitigate them effectively.
To do this securely, the principal security
defences should be concentrated on these ingress points rather
than at the desktopwhere often it can already be too late
when a breach occurs. Taking this to another level, protocol independent
defensive countermeasures woven into the fabric of the internet
itself will become the key component of any services-orientated
solution. In the same way, domestic broadband connections are
the most heavily abused in terms of botnet dispersion, and in
turn home users will be looking to their ISP to provide solutions
at the Internet level itself.
Over time, legislation and enforcement in this
area will improve and through greater international co-operation
and co-ordination it will become much more difficult for the cyber
criminals to exploit the differences in cross-border jurisdiction.
However, this is fundamentally a technical problem and as such
will always require a technical solution, first and foremost,
and by addressing the problem "in the cloud" at the
Internet level, it is taking the fight one step closer to the
23rd October 2006