Security and the Internet

Fighting malware

©David Rooney

A few years ago, certain users of Microsoft Windows found that their personal files had been translated into gibberish. In the panic to locate the programme that would decode the file, this message appeared:
Your computer caught our software while browsing. All your documents, texts, databases were archived with a long password…Do not try to search for a programme that encrypted your information…Reporting to police will not help you, they do not know the password.…You and other people will lose contact with us, and consequently, all encrypted information.At which point the victim was directed to the pages of an online drug store, where only by making a purchase, would the password be revealed.Extortion is widespread on the Internet. In this case, the blackmailer was “Archveus”, a type of virus known as a Trojan. Like its namesake, a Trojan appears benign, but contains an army of malicious software, “malware”: worms, backdoors, spyware, rootkits, botnets, etc. State-of-the-art malware has the versatility of a Swiss army knife.New versions of worms can leave backdoors for “bots” to enter and build up a “botnet”–a network of zombie computers working in tandem and without the user’s knowledge to destroy personal data, sabotage computer systems, and launch distributed denial of service attacks (DDoS) to flood websites, making them impossible to access. Botnets may conscript hundreds, indeed thousands of computers. Two years ago, police in the Netherlands arrested two so-called “bot-herders”, as operators are called, who masterminded several botnets totalling some 1.5 million compromised computers engaged in fraud, identity theft and online extortion.Malware is no longer a prank but a form of cybercrime and a lucrative industry. Neophytes find that getting a foot in the door is easy, since malware is readily available online. It is also inexpensive and user-friendly, allowing criminals to launch attacks beyond their technical skill. A botnet of 1,000-2,000 bots can even be contracted for US$50-60 per week, or about 33 cents per infected computer.Computer security companies are overwhelmed by the amount of malware seeping into networks. One vendor employs 50 engineers to analyze some 200 samples per day, a figure that continues to grow. Another receives on daily average 15,000 files from product users and CSIRTs (Computer Security Incident Response Teams), and sometimes as many as 70,000. Malware today is harder to detect, thus more difficult to quantify. Moreover, many countries have their own terminology and criteria for classifying malware, which is hardly ideal given the global nature of the Internet and crime.Financial losses from malware are difficult to assess. Banks in the UK estimated that losses from malware in 2006 were £33.5 million ($62 million), a 90% increase over two years. A survey of 52 IT professionals and managers put losses at €9.3 billion that same year. As for individual consumers, those in the US paid $7.8 billion over a two-year period to repair damages caused by malware.Individual users are the typical victims, accounting for 93% of attacks. What can they do about it? A 2005 report commissioned by the Australian government revealed that only one out of three users ran up-to-date antivirus software and only one in seven computers had a firewall. In the US, as many as 59 million users are believed to have spyware or other malware on their computers. This is all the more surprising, considering the abundance of warnings about infection. On the other hand, anti-virus programmes are often costly, quickly out of date and so not seen as a guarantee against criminals. In a survey, seventeen of these programmes failed to detect over 48% of malware. Malware is more than skin deep; it’s insidious and pervasive.Policy could help, based on additional research and by providing incentives for market players to respond to malware. These incentives may be rooted in economic, legal and other mechanisms, reflecting specific conditions and relationships in different markets, formal legal rules as well as informal behaviour. People will make their own judgements about trade-offs regarding what kind of security measures they deem appropriate and reasonable. Some service providers, say in financial services, may find it cheaper to compensate victims of malware rather than investing in new security technology. Awareness may need to be built too, as many end users are not aware that they do not bear the cost if their computers are infected with malware and are used to attack others. Above all, what is needed is a new way of thinking, in which everyone, from the individual user to software vendors to governments, assumes their just portion of responsibility.In its Security Guidelines, the OECD recognises that protecting networks required a pre-emptive approach; anticipating threats is as vital as mitigating them once they occur. Swift reaction is essential, but not enough. Each year the interval between the disclosure of a vulnerability and its exploitation shortens. True, detection rates are increasing, though it is unclear whether this is due to better detection or to a growing proliferation of malware. The amplitude of attacks has also decreased, but this may signal a change of strategy, replacing sudden big attacks with low-intensity ones to escape notice. Computers are no longer the only targets, as new malware has started to prey on mobile devices too.The Internet is witnessing an explosion of malware and realism demands that some degree of insecurity be tolerated. But as malware erodes confidence in Internet, so it must be resisted. In its report on Malware: A Security Threat to the Internet Economy, the OECD calls on governments, the private sector, the technical and the civil communities to form a global “Anti-Malware Partnership” to find ways to reduce software vulnerabilities, raise awareness, establish codes of practice, and improve the coordination of CSIRTs. The need for a consistent approach to a global problem is not new but malware presents new challenges and fighting it would benefit from more comprehensive measurement and co-ordination of policy solutions.  LT
References ©OECD Observer No 268 June 2008


Economic data

E-Newsletter

Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Suscribe now

<b>Subscribe now!</b>

To receive your exclusive print editions delivered to you directly


Online edition
Previous editions

Don't miss

  • “Nizip” refugee camp visit
    July 2016: OECD Secretary-General Angel Gurría visits the “Nizip” refugee camp, situated between Gaziantep and the Turkish-Syrian border, accompanied by Turkey’s Deputy Prime Minister Mehmet Şimşek. The camp accommodates a small number of the 2.75 million Syrians currently registered in Turkey, mostly outside the camps. In his tour of the camp, Mr Gurría visits a school, speaks with refugees and gives a short interview.
  • OECD Observer i-Sheet Series: OECD Observer i-Sheets are smart contents pages on major issues and events. Use them to find current or recent articles, video, books and working papers. To browse on paper and read on line, or simply download.
  • Queen Maxima of the Netherlands gives a speech next to Mexico's President Enrique Pena Nieto (not pictured) during the International Forum of Financial Inclusion at the National Palace in Mexico City, Mexico June 21, 2016.
  • How sustainable is the ocean as a source of economic development? The Ocean Economy in 2030 examines the risks and uncertainties surrounding the future development of ocean industries, the innovations required in science and technology to support their progress, their potential contribution to green growth and some of the implications for ocean management.
  • OECD Environment Director Simon Upton presented a talk at Imperial College London on 21 April 2016. With the world awash in surplus oil and prices languishing around US$40 per barrel, how can governments step up efforts to transform the world’s energy systems in line with the Paris Agreement?
  • Happy 10th birthday to Twitter. This 2008 OECD Observer interview with Henry Copeland said you’d do well.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • Once migrants reach Europe, countries face integration challenge: OECD's Thomas Liebig speaks to NPR's Audie Cornish.

  • Message from the International Space Station to COP21

  • COP21 Will Get Agreement With Teeth: OECD Secretary-General Angel Gurría on Bloomberg

  • The carbon clock is ticking: OECD’s Gurría on CNBC

  • If we want to reach zero net emissions by the end of the century, we must align our policies for a low-carbon economy, put a price on carbon everywhere, spend less subsidising fossil fuels and invest more in clean energy. OECD at #COP21 – OECD statement for #COP21
  • They are green and local --It’s a new generation of entrepreneurs in Kenya with big dreams of sustainable energy and the drive to see their innovative technologies throughout Africa. blogs.worldbank.org
  • Pole to Paris Project
  • In order to face global warming, Asia needs at least $40 billion per year, derived from both the public and private sector. Read how to bridge the climate financing gap on the Asian Bank of Development's website.
  • How can cities fight climate change?
    Discover projects in Denmark, Canada, Australia, Japan and Mexico.
  • Climate: What's changed, what hasn't, what we can do about it.
    Lecture by OECD Secretary-General Angel Gurría, hosted by the London School of Economics and Aviva Investors in association with ClimateWise, London, UK, 3 July 2015.

  • Climate change: “We should not disagree when scientists tell us we have a window of opportunity–10-15 years–to turn this thing around” argues Senator Bernie Sanders.

  • In the long-run, the EU benefits from migration, says OECD Head of International Migration Division Jean-Christophe Dumont.
  • Is technological progress slowing down? Is it speeding up? At the OECD, we believe the research from our Future of ‪Productivity‬ project helps to resolve this paradox.
  • Is inequality bad for growth? That redistribution boosts economies is not established by the evidence says FT economics editor Chris Giles. Read more on www.ft.com.
  • Catherine Mann, OECD Chief Economist, explains on Bloomberg why "too much bank lending can slow economic growth".
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at www.oecd.org/careers .

Most Popular Articles

Poll

What issue are you most concerned about in 2016?

Unemployment
Euro crisis
International conflict
Global warming
Other

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2016