Security and the Internet

Fighting malware

©David Rooney

A few years ago, certain users of Microsoft Windows found that their personal files had been translated into gibberish. In the panic to locate the programme that would decode the file, this message appeared:
Your computer caught our software while browsing. All your documents, texts, databases were archived with a long password…Do not try to search for a programme that encrypted your information…Reporting to police will not help you, they do not know the password.…You and other people will lose contact with us, and consequently, all encrypted information.At which point the victim was directed to the pages of an online drug store, where only by making a purchase, would the password be revealed.Extortion is widespread on the Internet. In this case, the blackmailer was “Archveus”, a type of virus known as a Trojan. Like its namesake, a Trojan appears benign, but contains an army of malicious software, “malware”: worms, backdoors, spyware, rootkits, botnets, etc. State-of-the-art malware has the versatility of a Swiss army knife.New versions of worms can leave backdoors for “bots” to enter and build up a “botnet”–a network of zombie computers working in tandem and without the user’s knowledge to destroy personal data, sabotage computer systems, and launch distributed denial of service attacks (DDoS) to flood websites, making them impossible to access. Botnets may conscript hundreds, indeed thousands of computers. Two years ago, police in the Netherlands arrested two so-called “bot-herders”, as operators are called, who masterminded several botnets totalling some 1.5 million compromised computers engaged in fraud, identity theft and online extortion.Malware is no longer a prank but a form of cybercrime and a lucrative industry. Neophytes find that getting a foot in the door is easy, since malware is readily available online. It is also inexpensive and user-friendly, allowing criminals to launch attacks beyond their technical skill. A botnet of 1,000-2,000 bots can even be contracted for US$50-60 per week, or about 33 cents per infected computer.Computer security companies are overwhelmed by the amount of malware seeping into networks. One vendor employs 50 engineers to analyze some 200 samples per day, a figure that continues to grow. Another receives on daily average 15,000 files from product users and CSIRTs (Computer Security Incident Response Teams), and sometimes as many as 70,000. Malware today is harder to detect, thus more difficult to quantify. Moreover, many countries have their own terminology and criteria for classifying malware, which is hardly ideal given the global nature of the Internet and crime.Financial losses from malware are difficult to assess. Banks in the UK estimated that losses from malware in 2006 were £33.5 million ($62 million), a 90% increase over two years. A survey of 52 IT professionals and managers put losses at €9.3 billion that same year. As for individual consumers, those in the US paid $7.8 billion over a two-year period to repair damages caused by malware.Individual users are the typical victims, accounting for 93% of attacks. What can they do about it? A 2005 report commissioned by the Australian government revealed that only one out of three users ran up-to-date antivirus software and only one in seven computers had a firewall. In the US, as many as 59 million users are believed to have spyware or other malware on their computers. This is all the more surprising, considering the abundance of warnings about infection. On the other hand, anti-virus programmes are often costly, quickly out of date and so not seen as a guarantee against criminals. In a survey, seventeen of these programmes failed to detect over 48% of malware. Malware is more than skin deep; it’s insidious and pervasive.Policy could help, based on additional research and by providing incentives for market players to respond to malware. These incentives may be rooted in economic, legal and other mechanisms, reflecting specific conditions and relationships in different markets, formal legal rules as well as informal behaviour. People will make their own judgements about trade-offs regarding what kind of security measures they deem appropriate and reasonable. Some service providers, say in financial services, may find it cheaper to compensate victims of malware rather than investing in new security technology. Awareness may need to be built too, as many end users are not aware that they do not bear the cost if their computers are infected with malware and are used to attack others. Above all, what is needed is a new way of thinking, in which everyone, from the individual user to software vendors to governments, assumes their just portion of responsibility.In its Security Guidelines, the OECD recognises that protecting networks required a pre-emptive approach; anticipating threats is as vital as mitigating them once they occur. Swift reaction is essential, but not enough. Each year the interval between the disclosure of a vulnerability and its exploitation shortens. True, detection rates are increasing, though it is unclear whether this is due to better detection or to a growing proliferation of malware. The amplitude of attacks has also decreased, but this may signal a change of strategy, replacing sudden big attacks with low-intensity ones to escape notice. Computers are no longer the only targets, as new malware has started to prey on mobile devices too.The Internet is witnessing an explosion of malware and realism demands that some degree of insecurity be tolerated. But as malware erodes confidence in Internet, so it must be resisted. In its report on Malware: A Security Threat to the Internet Economy, the OECD calls on governments, the private sector, the technical and the civil communities to form a global “Anti-Malware Partnership” to find ways to reduce software vulnerabilities, raise awareness, establish codes of practice, and improve the coordination of CSIRTs. The need for a consistent approach to a global problem is not new but malware presents new challenges and fighting it would benefit from more comprehensive measurement and co-ordination of policy solutions.  LT
References ©OECD Observer No 268 June 2008

Economic data

GDP growth: +0.6% Q1 2019 year-on-year
Consumer price inflation: 2.3% May 2019 annual
Trade: +0.4% exp, -1.2% imp, Q1 2019
Unemployment: 5.2% July 2019
Last update: 8 July 2019

OECD Observer Newsletter

Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Subscribe now

<b>Subscribe now!</b>

To order your own paper editions,email

Online edition
Previous editions

Don't miss

  • MCM logo
  • The following communiqué and Chair’s statement were issued at the close of the OECD Council Meeting at Ministerial level, this year presided by the Slovak Republic.
  • Food production will suffer some of the most immediate and brutal effects of climate change, with some regions of the world suffering far more than others. Only through unhindered global trade can we ensure that high-quality, nutritious food reaches those who need it most, Angel Gurría, Secretary-General of the OECD, and José Graziano da Silva, Director-General of the United Nations Food and Agriculture Organization, write in their latest Project Syndicate article. Read the article here.
  • Globalisation will continue and get stronger, and how to harness it is the great challenge, says OECD Secretary-General Gurría on Bloomberg TV. Watch the interview here.
  • OECD Secretary-General Angel Gurría with UN Secretary-General António Guterres at the 73rd Session of the UN General Assembly, in New York City.
  • The new OECD Observer Crossword, with Myles Mellor. Try it online!
  • Listen to the "Robots are coming for our jobs" episode of The Guardian's "Chips with Everything podcast", in which The Guardian’s economics editor, Larry Elliott, and Jeremy Wyatt, a professor of robotics and artificial intelligence at the University of Birmingham, and Jordan Erica Webber, freelance journalist, discuss the findings of the new OECD report "Automation, skills use and training". Listen here.
  • Do we really know the difference between right and wrong? Alison Taylor of BSR and Susan Hawley of Corruption Watch tell us why it matters to play by the rules. Watch the recording of our Facebook live interview here.
  • Has public decision-making been hijacked by a privileged few? Watch the recording of our Facebook live interview with Stav Shaffir, MK (Zionist Union) Chair of the Knesset Committee on Transparency here.
  • Can a nudge help us make more ethical decisions? Watch the recording of our Facebook live interview with Saugatto Datta, managing director at ideas42 here.
  • The fight against tax evasion is gaining further momentum as Barbados, Côte d’Ivoire, Jamaica, Malaysia, Panama and Tunisia signed the BEPS Multilateral Convention on 24 January, bringing the total number of signatories to 78. The Convention strengthens existing tax treaties and reduces opportunities for tax avoidance by multinational enterprises.
  • Globalisation’s many benefits have been unequally shared, and public policy has struggled to keep up with a rapidly-shifting world. The OECD is working alongside governments and international organisations to help improve and harness the gains while tackling the root causes of inequality, and ensuring a level playing field globally. Please watch.
  • Checking out the job situation with the OECD scoreboard of labour market performances: do you want to know how your country compares with neighbours and competitors on income levels or employment?
  • Trade is an important point of focus in today’s international economy. This video presents facts and statistics from OECD’s most recent publications on this topic.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at .
  • Visit the OECD Gender Data Portal. Selected indicators shedding light on gender inequalities in education, employment and entrepreneurship.

Most Popular Articles

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2019