7. Fighting Malware
1. Protecting against, detecting and responding to malware has become increasingly complex as malware and the underlying criminal activity which it supports are rapidly evolving and taking advantage of the global nature of the Internet. Many organisations and individuals do not have the resources, skills or expertise to prevent and/or respond effectively to malware attacks and the associated secondary crimes which flow from those attacks such as identity theft, fraud and DDoS. In addition, the scope of one organisation’s control to combat the problem of malware is limited.
2. Many security companies report an inability to keep up with the overwhelming amounts of malware despite committing significant resources to analysis. One vendor dedicates 50 engineers to analysing new malware samples and finding ways to block them, but notes that this is almost an impossible task, with about 200 new samples per day and growing. Another company reported it receives an average of 15 000 files – and as many as 70 000 – per day from their product users as well as CSIRTs and others in the security community. When samples and files are received, security companies undertake a process to determine if the file is indeed malicious. This is done by gathering data from other vendors, conducting automated analysis, or by conducting manual analysis when other methods fail to determine the malicious nature of the code. One vendor estimated that each iteration of this cycle takes about 40 minutes and that they release an average of 10 updates per day. Furthermore, there are many security vendors who all have different insights into the malware problem.
3. Most security technologies such as anti-virus or anti-spyware products are signature–based meaning they can only detect those pieces of malware for which an identifier, known as a “signature” already exists and have been deployed. There is always a time lag between when new malware is released by attackers into the “wild”, when it is discovered, when anti-virus vendors develop their signatures, and when those signatures are dated onto users and organisations’ information systems. Attackers actively seek to exploit this period of heightened vulnerability. It is widely accepted that signature based solutions such as anti-virus programs are largely insufficient to combat today’s complex and prevalent malware. For example, one analysis that explores antivirus detection rates for 17 different anti-virus vendors reveals that, on average, only about 48.16% of malware was detected. Circumstantial evidence such as this indicates that attackers are actively testing new malware creations against popular anti-virus programs to ensure they stay undetected.
4. In addition, malicious actors exploit the distributed and global nature of the Internet as well as the complications of law and jurisdiction bound by traditional physical boundaries to diminish the risks of being identified and prosecuted. For example, a large portion of data trapped by attackers using keyloggers is transmitted internationally to countries where laws against cybercrime are nascent, non-existent or not easily enforceable. Although countries across the globe have recognised the seriousness of cybercrime and many have taken legislative action to help reprimand criminals, not all have legal frameworks that support the prosecution of cyber criminals. The problem however is even more complicated as information may be compromised in one country by a criminal acting from another country through servers located in a third country, all together further complicating the problem.
5. Furthermore, the volatile nature of electronic evidence and the frequent lack of logged information can often mean that evidence is destroyed by the time law enforcement officers can get the necessary warrants to recover equipment. The bureaucracy of law enforcement provides good checks and balances, but is often too slow to cope with the speed of electronic crime. Additionally, incident responders often do not understand the needs of law enforcement and accidently destroy electronic evidence. Today, the benefits of malware seem to be greater for attackers than the risks of undertaking the criminal activity.
6. Cyberspace offers criminals a large number of potential targets and ways to derive income from online victims. It also provides an abundant supply of computing resources that can be harnessed to facilitate this criminal activity. Both the malware and compromised information systems being used to launch the attacks have a low cost, are readily available and frequently updated.
7. High speed Internet connections and increased bandwidth allow for the mass compromise of information systems that renew and expand the self sustaining attack system. By contrast, communities engaged in fighting malware face numerous challenges that they cannot always address effectively.
 OECD, Malicious Software (Malware): A Security Threat to Internet economy, 2007