London, UK - 21 November 2004, 16:30 GMT - 2004 is set to become the worst year on record for malware variants and their hybrids as vulnerabilities in Microsoft Windows are exploited within days of being posted on the internet. Witness the latest and ongoing Bofra malware episode, which is a hybrid of the MyDoom family. There is evidence to show that malware writers are learning from each others' code and refining carrier vectors continuously based on live-tests within the internet environment. This, in turn, encourages playground behaviour similar to monkey see, monkey do; with dangerous consequences.

The Chinese year of the Monkey has indeed come to pass across the globe as nearly 115 million computers across 200 countries have been infected at one time or another this year by rapidly proliferating malware agents including trojans, viruses and worms. As many as 11 million computers worldwide - mostly within homes and small organisations - are now believed to be permanently infected zombies that are used by criminal syndicates or malevolents to send out spam; mount Distributed Denial of Service (DDoS) attacks; carry out extortion, identity theft and phishing scams; or disseminate new malware.

The threat is rising as anti-virus tool kit, firewall and intrusion detection systems combined are unable to deal in advance with malware that does not send attachments but relies on inconspicuous hyperlinks to solicit further infections. The unsuspecting users have lost the battle the moment a hyperlink is clicked which directs their clean machine's browser to an infected machine. Well researched, understood and mostly a few days old variants are subsequently added to virus definitions and signatures. This is usually after the horse has bolted!

In some instances, the appropriate patch from the software vendor has still not become available or is part of an elaborate Service Pack that users have not installed because that significant addition may interfere with their existing applications or is incompatible with their machines' BIOS, calling into question the whole approach of fighting the malware malaise through present methods.

The top five malware families of all time including hybrids are: 1. MyDoom; 2. Netsky; 3. SoBig; 4. Klez; and 5. Sasser. The total economic damage worldwide from malware proliferation - with an additional 480 new species in 2004 alone - is now estimated to lie between $166bn and $202bn for 2004 by the mi2g Intelligence Unit. With an installed base of around 600 million Windows based computers worldwide, this works out roughly as average damage per installed machine of between $277 and $336.

"As a trend the estimated economic damage per installed machine in 2004 is significant to the Total Cost of Ownership (TCO) calculations for Windows, which most responsible CFOs are revisiting with their CIOs for 2005," said DK Matai, Executive Chairman, mi2g. "On the other hand, it may not be sufficiently large to cause dramatic shifts away from Windows given the inertia of the massive installed base and associated deep knowledge of software behavioural response in users' minds."

"The legacy investment write-off required to shift away from Windows to other mainstream platforms such as Linux, BSD or Apple Mac OS X, has been historically projected to be higher in the new year's budget spreadsheets put together by board-level executives of reputable corporations. The TCO arguments have come out in favour of Microsoft especially when the migration costs measured in terms of stakeholders' inconvenience, time allocation and refinancing; requirement for retraining administrators, personnel, key suppliers and customers; as well as porting in-house software applications and databases to the new environment, have been taken fully into account."

"It remains to be seen what is the net impact in 2005 of '2004', the year of the global malware epidemic, on the established base of Windows aficionados within the decision makers' clique at board level. Over the last few years, it has been a case of better the 'devil' we know than the one we don't."

Digital risk damages are calculated by the mi2g Intelligence Unit on the basis of helpdesk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. When available, Intellectual Property Rights (IPR) violations as well as customer and supplier liability costs have also been included in the estimates.

The top ten lessons learnt from the malware global epidemic in 2004, which includes the costliest and fastest spreading malware families of all time, are as follows:

1. Monoculture issues and law enforcement - The global economy is digitally interlinked and at present too reliant on a single operating system and associated software. Diversity of computing platforms and applications based on common standards needs to be encouraged by governments worldwide, especially as the criminal syndicates move in to exploit the convenience offered by the homogeneous computing base. Law enforcement agencies also need to collaborate worldwide to ensure that computer criminals are brought to justice and malware-writers and hackers are not viewed romantically.

2. User awareness and education - Computer users remain largely unaware that their computers have been participating in a massive DDoS attack initiated by the malware infecting their machine. This knowledge that an individual computer can be hijacked and used as an anonymous component of a massive weapon is not commonly understood across the globe. More needs to be done by governments and computer vendors to raise awareness and educate users on the dangers of leaving a computer in a standard configuration without applying appropriate security measures. Investment in strategy and training is essential. This is necessary in addition to the procurement of the right security hardware and software.

3. Army of zombies - The DDoS attacks on reputable vendors have been mounted through an army of millions of infected computers (zombies) by the malware variants in 2004 in less than a week. ISPs and computer owners who are online need to be more vigilant of those type of attacks across the globe. 24/7 online services should not be sold without appropriate firewall and automatic anti-virus protection. ISPs should agree on a global standard for vigilance and mount a periodic check on their customers to ensure that they are all complying with the appropriate levels of protection.

4. Unreliable computing - The landscape of computing is extremely turbulent and the world depends on computing - especially email, online shopping and banking - as if it were a utility service. The reliability of water, electricity and voice telephony services is not presently displayed by computing at all in terms of Uptime. This is a major shortcoming that denies users a high quality of service and endangers them through the computer criminals who perpetrate piracy, surrogacy, denial of service and associated hazards.

5. Opportunistic criminal activity - Malware has led to their offspring variants within hours or days, which may have been released by somebody other than the original perpetrator(s), and the back doors that have been left open on infected machines have been quickly colonised and pillaged by opportunistic hackers on the prowl to get hold of credit card numbers, banking and online shopping details as well as other vital documents. The law enforcement agencies in most of the 200 infected countries need to co-operate more to become aware of the local criminal elements that take advantage of global malware epidemics.

6. Data and computing separation - There needs to be a separation between vital data that people hold and the computing platforms they use to access the internet which may be subject to frequent malevolence. Vital data and the computing platforms used for online access have to be separated to maintain recoverability. In the long run it is preferable that people vault their data like depositing their money at a bank and retrieve it through higher layers of authentication that involve smart cards and biometrics so that their compromised computers do not lead to the loss of valuables, identity or reputation. This in essence is the philosophy behind mi2g's D2-Banking initiative.

7. Growing economic damage - Fast spreading malware is becoming increasingly frequent and does not leave much time for post-event preparation. If it is successful in breaching the defences of an organisation or individual, the consequences are economically more damaging than in the past. In this environment, the survivors are the ones that have security regimes that champion planning, preparation and contingency capability. The Distributed Intelligent Malware Agents (DIMA) like MyDoom are likely to inflict more economic damage and may exhibit even more complexity and component capability than presently observed.
The MyDoom family including all its variants and hybrids over the year, such as the latest Bofra, is estimated to have caused $74 billion of economic damage worldwide so far - the highest mi2g damage estimate for any malware family. As a result, private and publicly listed corporations; universities and schools; large and small organisations; as well as home users, have suffered significant online delays, congestion and email service disruption worldwide.

8. Early warning centres - Every country in the world should have an early warning centre for their internet exposed economic base. The citizens of that country can then be alerted through non-internet based channels such as mobile text messages or television/radio broadcast whenever a global internet disruption or fast spreading epidemic occurs.

9. Home users - Whilst corporations and government departments have the budgets, expertise and detailed knowledge of configuration management, firewalls, anti-virus tool kits and security best practices, the home users are increasingly victimised by malware epidemics, phishing scams, spam campaigns and frequent hacker attacks proliferation. Complexity of computer protection is no longer manageable by a lay person and needs to be outsourced either upstream to ISPs or new computing services need to be developed that totally automate the process. It is highly unlikely that whilst users are given the freedom to download software and install it as they please, they will be able to guarantee their own safety and security. It is much more likely that higher levels of security and safety can be offered if users dial into a centralised secure service that vaults their data and money, whilst granting access only when a triple-layer authentication process has been completed which includes something that they are, something that they carry and something that they know. [D2-Banking Executive Summary]

10. Social responsibility - When an infected computer is turned into a zombie by malware like MyDoom, it can be used as an agent for malevolent purposes against the owner, any third party organisation or society as a whole. Whenever computer users leave their machines online without appropriate configuration, firewalls and associated security software, they not only endanger their own safety and security, but their carelessness can have grave social consequences beyond their local community. More needs to be done by computer vendors and law enforcement bodies to bring it to the attention of the public that those who do not take the protection of their computer systems seriously are being socially irresponsible, for example, like "drinking and driving."

[ENDS]

mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net

Full details of the October 2004 report are available as of 1st November 2004 and can be ordered from here. (To view contents sample please click here).