2004: Year of the global malware epidemic - Top ten
London, UK - 21 November 2004, 16:30 GMT - 2004 is set to become the
worst year on record for malware variants and their hybrids as vulnerabilities
in Microsoft Windows are exploited within days of being posted on the internet.
Witness the latest and ongoing Bofra malware episode, which is a hybrid of
the MyDoom family. There is evidence to show that malware writers are learning
from each others' code and refining carrier vectors continuously based on
live-tests within the internet environment. This, in turn, encourages playground
behaviour similar to monkey see, monkey do; with dangerous consequences.
The Chinese year of the Monkey has indeed come to pass across the globe as
nearly 115 million computers across 200 countries have been infected at one
time or another this year by rapidly proliferating malware agents including
trojans, viruses and worms. As many as 11 million computers worldwide - mostly
within homes and small organisations - are now believed to be permanently
infected zombies that are used by criminal syndicates or malevolents to send
out spam; mount Distributed Denial of Service (DDoS) attacks; carry out extortion,
identity theft and phishing scams; or disseminate new malware.
The threat is rising as anti-virus tool kit, firewall and intrusion detection
systems combined are unable to deal in advance with malware that does not
send attachments but relies on inconspicuous hyperlinks to solicit further
infections. The unsuspecting users have lost the battle the moment a hyperlink
is clicked which directs their clean machine's browser to an infected machine.
Well researched, understood and mostly a few days old variants are subsequently
added to virus definitions and signatures. This is usually after the horse
In some instances, the appropriate patch from the software vendor has still
not become available or is part of an elaborate Service Pack that users have
not installed because that significant addition may interfere with their existing
applications or is incompatible with their machines' BIOS, calling into question
the whole approach of fighting the malware malaise through present methods.
The top five malware families of all time including hybrids are: 1. MyDoom;
2. Netsky; 3. SoBig; 4. Klez; and 5. Sasser. The total economic damage worldwide
from malware proliferation - with an additional 480 new species in 2004 alone
- is now estimated to lie between $166bn and $202bn for 2004 by the mi2g
Intelligence Unit. With an installed base of around 600 million Windows
based computers worldwide, this works out roughly as average damage per installed
machine of between $277 and $336.
"As a trend the estimated economic damage
per installed machine in 2004 is significant to the Total Cost of Ownership
(TCO) calculations for Windows, which most responsible CFOs are revisiting
with their CIOs for 2005," said DK
Matai, Executive Chairman, mi2g. "On
the other hand, it may not be sufficiently large to cause dramatic shifts
away from Windows given the inertia of the massive installed base and associated
deep knowledge of software behavioural response in users' minds."
"The legacy investment write-off required to shift away from Windows
to other mainstream platforms such as Linux, BSD
or Apple Mac OS X, has been historically projected to be higher in the
new year's budget spreadsheets put together by board-level executives of reputable
corporations. The TCO arguments have come out in favour of Microsoft
especially when the migration costs measured in terms of stakeholders' inconvenience,
time allocation and refinancing; requirement for retraining administrators,
personnel, key suppliers and customers; as well as porting in-house software
applications and databases to the new environment, have been taken fully into
"It remains to be seen what is the net impact in 2005 of '2004', the
year of the global malware epidemic, on the established base of Windows aficionados
within the decision makers' clique at board level. Over the last few years,
it has been a case of better the 'devil' we know than the one we don't."
Digital risk damages are calculated by the mi2g Intelligence Unit on
the basis of helpdesk support costs, overtime payments, contingency outsourcing,
loss of business, bandwidth clogging, productivity erosion, management time
reallocation, cost of recovery and software upgrades. When available, Intellectual
Property Rights (IPR) violations as well as customer and supplier liability
costs have also been included in the estimates.
The top ten lessons learnt from the malware global epidemic in 2004, which
includes the costliest and fastest spreading malware families of all time,
are as follows:
1. Monoculture issues and law enforcement - The global economy is digitally
interlinked and at present too reliant on a single operating system and associated
software. Diversity of computing platforms and applications based on common
standards needs to be encouraged by governments worldwide, especially as the
criminal syndicates move in to exploit the convenience offered by the homogeneous
computing base. Law enforcement agencies also need to collaborate worldwide
to ensure that computer criminals are brought to justice and malware-writers
and hackers are not viewed romantically.
2. User awareness and education - Computer users remain largely unaware
that their computers have been participating in a massive DDoS attack initiated
by the malware infecting their machine. This knowledge that an individual
computer can be hijacked and used as an anonymous component of a massive weapon
is not commonly understood across the globe. More needs to be done by governments
and computer vendors to raise awareness and educate users on the dangers of
leaving a computer in a standard configuration without applying appropriate
security measures. Investment in strategy and training is essential. This
is necessary in addition to the procurement of the right security hardware
3. Army of zombies - The DDoS attacks on reputable vendors have been
mounted through an army of millions of infected computers (zombies) by the
malware variants in 2004 in less than a week. ISPs and computer owners who
are online need to be more vigilant of those type of attacks across the globe.
24/7 online services should not be sold without appropriate firewall and automatic
anti-virus protection. ISPs should agree on a global standard for vigilance
and mount a periodic check on their customers to ensure that they are all
complying with the appropriate levels of protection.
4. Unreliable computing - The landscape of computing is extremely turbulent
and the world depends on computing - especially email, online shopping and
banking - as if it were a utility service. The reliability of water, electricity
and voice telephony services is not presently displayed by computing at all
in terms of Uptime. This is a major shortcoming that
denies users a high quality of service and endangers them through the computer
criminals who perpetrate piracy, surrogacy, denial of service and associated
5. Opportunistic criminal activity - Malware has led to their offspring
variants within hours or days, which may have been released by somebody other
than the original perpetrator(s), and the back doors that have been left open
on infected machines have been quickly colonised and pillaged by opportunistic
hackers on the prowl to get hold of credit card numbers, banking and online
shopping details as well as other vital documents. The law enforcement agencies
in most of the 200 infected countries need to co-operate more to become aware
of the local criminal elements that take advantage of global malware epidemics.
6. Data and computing separation - There needs to be a separation between
vital data that people hold and the computing platforms they use to access
the internet which may be subject to frequent malevolence. Vital data and
the computing platforms used for online access have to be separated to maintain
recoverability. In the long run it is preferable that people vault their data
like depositing their money at a bank and retrieve it through higher layers
of authentication that involve smart cards and biometrics so that their compromised
computers do not lead to the loss of valuables, identity or reputation. This
in essence is the philosophy behind mi2g's
7. Growing economic damage - Fast spreading malware is becoming increasingly
frequent and does not leave much time for post-event preparation. If it is
successful in breaching the defences of an organisation or individual, the
consequences are economically more damaging than in the past. In this environment,
the survivors are the ones that have security regimes that champion planning,
preparation and contingency capability. The Distributed Intelligent Malware
Agents (DIMA) like MyDoom are likely to inflict more economic damage and may
exhibit even more complexity and component capability than presently observed.
The MyDoom family including all its variants and hybrids over the year, such
as the latest Bofra, is estimated to have caused $74 billion of economic damage
worldwide so far - the highest mi2g damage estimate for any malware
family. As a result, private and publicly listed corporations; universities
and schools; large and small organisations; as well as home users, have suffered
significant online delays, congestion and email service disruption worldwide.
8. Early warning centres - Every country in the world should have an
early warning centre for their internet exposed economic base. The citizens
of that country can then be alerted through non-internet based channels such
as mobile text messages or television/radio broadcast whenever a global internet
disruption or fast spreading epidemic occurs.
9. Home users - Whilst corporations and government departments have
the budgets, expertise and detailed knowledge of configuration management,
firewalls, anti-virus tool kits and security best practices, the home users
are increasingly victimised by malware epidemics, phishing scams, spam campaigns
and frequent hacker attacks proliferation. Complexity of computer protection
is no longer manageable by a lay person and needs to be outsourced either
upstream to ISPs or new computing services need to be developed that totally
automate the process. It is highly unlikely that whilst users are given the
freedom to download software and install it as they please, they will be able
to guarantee their own safety and security. It is much more likely that higher
levels of security and safety can be offered if users dial into a centralised
secure service that vaults their data and money, whilst granting access only
when a triple-layer authentication process has been completed which includes
something that they are, something that they carry and something that they
know. [D2-Banking Executive Summary]
10. Social responsibility - When an infected computer is turned into
a zombie by malware like MyDoom, it can be used as an agent for malevolent
purposes against the owner, any third party organisation or society as a whole.
Whenever computer users leave their machines online without appropriate configuration,
firewalls and associated security software, they not only endanger their own
safety and security, but their carelessness can have grave social consequences
beyond their local community. More needs to be done by computer vendors and
law enforcement bodies to bring it to the attention of the public that those
who do not take the protection of their computer systems seriously are being
socially irresponsible, for example, like "drinking and driving."
mi2g is at the leading edge of building secure on-line banking, broking
and trading architectures. The principal applications of our technology are:
2. Digital Risk Management; and
3. Bespoke Security Architecture.
mi2g pioneers enterprise-wide security practices and technology to
save time and cut cost. We enhance comparative advantage within financial
services and government agencies. Our real time intelligence is deployed worldwide
for contingency capability, executive decision making and strategic threat
mi2g Research Methodology: The Frequently Asked Questions (FAQ) List
is available from here in pdf. Please
note terms and conditions of use listed on
Full details of the October 2004 report are available as of 1st November
2004 and can be ordered from here.
(To view contents sample please click here).