A few years ago, certain users of Microsoft Windows found that their personal files had been translated into gibberish. In the panic to locate the programme that would decode the file, this message appeared:
Your computer caught our software while browsing. All your documents, texts, databases were archived with a long password…Do not try to search for a programme that encrypted your information…Reporting to police will not help you, they do not know the password.…You and other people will lose contact with us, and consequently, all encrypted information.
At which point the victim was directed to the pages of an online drug store, where only by making a purchase, would the password be revealed.Extortion is widespread on the Internet. In this case, the blackmailer was “Archveus”, a type of virus known as a Trojan. Like its namesake, a Trojan appears benign, but contains an army of malicious software, “malware”: worms, backdoors, spyware, rootkits, botnets, etc. State-of-the-art malware has the versatility of a Swiss army knife.New versions of worms can leave backdoors for “bots” to enter and build up a “botnet”–a network of zombie computers working in tandem and without the user’s knowledge to destroy personal data, sabotage computer systems, and launch distributed denial of service attacks (DDoS) to flood websites, making them impossible to access. Botnets may conscript hundreds, indeed thousands of computers. Two years ago, police in the Netherlands arrested two so-called “bot-herders”, as operators are called, who masterminded several botnets totalling some 1.5 million compromised computers engaged in fraud, identity theft and online extortion.Malware is no longer a prank but a form of cybercrime and a lucrative industry. Neophytes find that getting a foot in the door is easy, since malware is readily available online. It is also inexpensive and user-friendly, allowing criminals to launch attacks beyond their technical skill. A botnet of 1,000-2,000 bots can even be contracted for US$50-60 per week, or about 33 cents per infected computer.Computer security companies are overwhelmed by the amount of malware seeping into networks. One vendor employs 50 engineers to analyze some 200 samples per day, a figure that continues to grow. Another receives on daily average 15,000 files from product users and CSIRTs (Computer Security Incident Response Teams), and sometimes as many as 70,000. Malware today is harder to detect, thus more difficult to quantify. Moreover, many countries have their own terminology and criteria for classifying malware, which is hardly ideal given the global nature of the Internet and crime.Financial losses from malware are difficult to assess. Banks in the UK estimated that losses from malware in 2006 were £33.5 million ($62 million), a 90% increase over two years. A survey of 52 IT professionals and managers put losses at €9.3 billion that same year. As for individual consumers, those in the US paid $7.8 billion over a two-year period to repair damages caused by malware.Individual users are the typical victims, accounting for 93% of attacks. What can they do about it? A 2005 report commissioned by the Australian government revealed that only one out of three users ran up-to-date antivirus software and only one in seven computers had a firewall. In the US, as many as 59 million users are believed to have spyware or other malware on their computers. This is all the more surprising, considering the abundance of warnings about infection. On the other hand, anti-virus programmes are often costly, quickly out of date and so not seen as a guarantee against criminals. In a survey, seventeen of these programmes failed to detect over 48% of malware. Malware is more than skin deep; it’s insidious and pervasive.Policy could help, based on additional research and by providing incentives for market players to respond to malware. These incentives may be rooted in economic, legal and other mechanisms, reflecting specific conditions and relationships in different markets, formal legal rules as well as informal behaviour. People will make their own judgements about trade-offs regarding what kind of security measures they deem appropriate and reasonable. Some service providers, say in financial services, may find it cheaper to compensate victims of malware rather than investing in new security technology. Awareness may need to be built too, as many end users are not aware that they do not bear the cost if their computers are infected with malware and are used to attack others.
Above all, what is needed is a new way of thinking, in which everyone, from the individual user to software vendors to governments, assumes their just portion of responsibility.In its Security Guidelines, the OECD recognises that protecting networks required a pre-emptive approach; anticipating threats is as vital as mitigating them once they occur. Swift reaction is essential, but not enough. Each year the interval between the disclosure of a vulnerability and its exploitation shortens. True, detection rates are increasing, though it is unclear whether this is due to better detection or to a growing proliferation of malware. The amplitude of attacks has also decreased, but this may signal a change of strategy, replacing sudden big attacks with low-intensity ones to escape notice. Computers are no longer the only targets, as new malware has started to prey on mobile devices too.The Internet is witnessing an explosion of malware and realism demands that some degree of insecurity be tolerated. But as malware erodes confidence in Internet, so it must be resisted. In its report on Malware: A Security Threat to the Internet Economy, the OECD calls on governments, the private sector, the technical and the civil communities to form a global “Anti-Malware Partnership” to find ways to reduce software vulnerabilities, raise awareness, establish codes of practice, and improve the coordination of CSIRTs. The need for a consistent approach to a global problem is not new but malware presents new challenges and fighting it would benefit from more comprehensive measurement and co-ordination of policy solutions. LTReferences
©OECD Observer No 268 June 2008