The rise of an Internet-savvy middle class in developing countries such as India and China has created a fertile launching pad for the distribution of viruses, spam and malware, which the ‘bad guys’ are now using. As India and China come online through their middle class, it introduces new security challenges for the broader Western world.
On the Internet, everything is connected to everything else. Distance does not separate a business in London from a virus-compromised home computer in Bangalore or Beijing. The problem for businesses anywhere in the world is that the more compromised computers there are, the greater the torrent of malware and spam.
India and China are in the news because of their tremendous economic growth. The Chinese economy expanded by 9.8 per cent in 2008 and the Indian economy by 6.6 per cent (Statistics from World Internet Statistics, 2008)
This economic power is matched by a growing number of Internet-connected computers and a growing middle class with broadband access at home. India had 81 million Internet users in 2008, while China had 298 million in 2008 (Statistics from The Internet Governance Forum, 2008).
In our experience, it is not just the number of computers or Internet users that cause problems for our customers, but the number of broadband connections. Why? First, when a computer is permanently connected to the Internet, it is easier to infect with a virus. Second, an infected computer can join a botnet and start spamming other Internet users or sending out more viruses. Worse, it can do it at a high speed, 24 hours a day.
Broadband statistics show relentless growth for the developing economies. By the end of 2008, the Asia-Pacific region had more than 171 million broadband subscribers—an increase of 31.5 per cent over the previous year (Statistics from Frost & Sullivan, 2008).
Where we see increased virus activity in a region, botnets and spam follow. Our hypothesis is that users in developing countries may be new to the Internet and unaware of the risks they run when they go online and the techniques they need to apply in order to protect themselves.
In 2008, spammers developed an affinity for spamming from large, reputable Web-based e-mail and application services by defeating CAPTCHA (completely automated public Turing test to tell computers and humans apart) techniques to generate massive numbers of personal accounts from these services. Complex Web-based malware targeting social networking sites and vulnerabilities in legitimate websites also became widespread in 2008, resulting in malware being installed onto computers with no user intervention required.
Other methods of malware attack common in 2008 also included attacks disguised as free application downloads and games targeted at new smart phones, and targeted Trojan attacks that rose to a peak of 98 per day in December 2008. Towards the end of 2008, the credit crisis generated many new finance-related attacks as spammers and scammers sought to take advantage of the panic and uncertainty.
In 2009, phishing attacks will focus on exploiting vulnerable DNS domains and websites while any website that requires a personal account to be created online will continue to be targeted and the CAPTCHA failure rate will continue to increase accordingly. MessageLabs experts also predict that in 2009 the emerging markets will be more heavily targeted with spam delivered in the local language.
Growth in foreign language spam, especially Asian character spam, will increase by 100 per cent from current levels (five per cent) to around 10 per cent. In 2009, the major botnets disrupted by the takedown of Intercage and McColo at the end of 2008 are expected to find replacement hosting services in countries such as Russia, Brazil or China.
Virus source and targets
Preliminary data from Skeptic, MessageLabs predictive proprietary technology, shown in the table below reveals that India and China are leading sources of viruses.
| Rank | Country of Origin | Percentage of viruses detected |
|---|---|---|
| 1 | USA | 27.73 per cent |
| 2 | Poland | 13.11 per cent |
| 3 | UK | 5.59 per cent |
| 4 | Uruguay | 5.57 per cent |
| 5 | Italy | 4.45 per cent |
| 6 | Japan | 3.52 per cent |
| 7 | India | 3.45 per cent |
| 8 | Spain | 3.05 per cent |
| 9 | Germany | 3.04 per cent |
| 10 | Australia | 2.60 per cent |
| 11 | Korea | 2.38 per cent |
| 12 | China | 2.16 per cent |
In addition to being a major source of viruses, India is also a major target. Our recent data (March 2009) sees India as the third most-spammed country in the world, with 86.8 per cent of e-mails containing spam. And while rankings fluctuate from month to month, it has been in the top four throughout 2008:
| Rank | Country of recipient | Percentage of e-mails containing viruses |
|---|---|---|
1 | Switzerland | 1.45 per cent |
2 | France | 1.34 per cent |
3 | Hong Kong | 1.10 per cent |
4 | India | 1.09 per cent |
5 | UK | 1.00 per cent |
When we publish data that says that developing economies are the source of a lot of spam, people get concerned because they think there is hacker activity there. That is a concern, but the bigger threat is the rise of consumer IT and the lack of protection of it. If you get some new green fields on the Internet, there’s a period when security is lax and viruses run wild. The situation is similar to the one we faced here a few years ago. However, the big difference is that exploits are much more sophisticated today so an unprotected PC is much more vulnerable.
The threat landscape
MessageLabs secures 2.5 billion e-mail connections and 1.5 billion Web requests every day. This gives us valuable insight into the dangers lurking on the Internet. Overall, spam levels have remained stable, but high, for the last year. In March 2009 alone, 75.7 per cent of all the e-mails we scanned globally contained spam. This increase may possibly correlate to new botnets emerging in green field Internet sites such as India and China.
The overall number of e-mail-borne viruses fell slightly in 2007 to 1 in 117.7 e-mails but increased to 1 in 143.8 in 2008 as new outbreaks occurred. The low average virus rate of 0.7 per cent contrasts strongly with India’s rate of 1.09 per cent in our latest data. Although it is not conclusive, our experience suggests that a high virus rate leads to more infections and in turn a growth in botnets and outbound spam.
There are some worrying trends that show that Internet criminals are upping their game. Firstly, they are increasingly sending links to malicious websites that install malware rather than including malware in the e-mail itself. Some botnets also hide the true location of spam, malware and phishing sites behind rapidly-changing addresses of Web proxies for each domain. This technique accounted for the increase of botnets from 20 per cent to 25 per cent by mid-2008. In addition, the botnets that they create are much more resilient. It is increasingly difficult to detect, disrupt or remove them.
These moves make it harder for conventional defences to protect computers. They also make it more important than ever to block these attacks before they reach the user. An ounce of prevention is worth a pound of cure.
The shadow economy and targeted attacks
Online criminal activity is worth billions. There is a sophisticated shadow economy online with tens of thousands of participants where technical experts collaborate with criminal gangs to make money. There are specialist malware writers, botnet owners, identity thieves, spammers and a shady network of middlemen and market makers. It has all the attributes of the real world economy—division of labour, price competition, marketing, even guarantees.
Just as large corporations are eager to open up new markets in the developing world, so do online criminals see a burgeoning and relatively unprotected pool of Internet users as a huge opportunity.
Another sign of growing sophistication in the shadow economy is the continuous improvement in product quality. Malware writers work hard to test their products against anti-virus software. They offer guarantees that a given virus or trojan will not be detected using conventional anti-virus programs. If vendors update their software, then the malware author will supply a new version. Unfortunately for them, they cannot buy a copy of MessageLabs or other managed security services so they cannot guarantee against these services.
According to industry experts, the shadow Internet economy was worth more than US$105 billion in 2008. 2009 is predicted to be another year of significant growth as e-crime tools become accessible and the market becomes more mature and open, operating to conventional supply and demand rules. Through the continuous improvement in the quality of products on sale in the shadow economy, previous barriers to entry such as technical skills will be lowered and more people will try and make a living out of this economy.
Prevention is better than cure
It is easy to dismiss internet problems as ‘out there,’ ‘too techie to deal with’ and ‘not my problem’ especially by smaller businesses who may not have dedicated IT staff. The reality is that Internet crime hurts businesses. In 2008, the US authorities indicted a spammer who ripped off US$3 million through a stock spam scam. From late 2008 to 2009, the US Pentagon spent more than US$100 million clearing up Internet attacks and viruses. The most common form of attack is via e-mail or a rogue website. In addition, 70 per cent of all e-mail traffic is unwanted spam, a waste of time and server capacity.
Protecting confidential data is a growing concern for businesses. Not only must they comply with regulations, including the Data Protection Act, but also deal with security breaches, which can have a serious impact on a company’s reputation and share price. This is why the latest form of attack, the targeted Trojan, is a real concern. Specifically written and designed for information theft, attackers use public information, such as Companies House records or information from social networking sites, to target key individuals by name.
Because the malware is a one-off, conventional anti-virus software, which uses signatures to spot viruses, has a hard time detecting it. Moreover, as it is carefully targeted at individuals, it has a greater chance of getting through. In 2005, we saw about two such attacks a week—and this figure increased to two attacks a day in 2006. By 2008 this figure increased exponentially to an average of 53 such attacks per day globally.
Be certain in an uncertain world
A looming virus and spam threat from developing countries, combined with the rise of new forms of malware and targeted trojans, makes the threat landscape a very populated and unpredictable place for businesses. The case for managed services is now stronger than ever. Most anti-virus software uses signatures to detect viruses. This means that every e-mail and website request is scanned to see if anything matches a list of known threats. However, signatures have a weakness. A virus or trojan has to be caught and analysed before the signatures can be updated. This leaves them vulnerable to custom-written or brand new threats. With so many new threats emerging around the world, isn’t it better to be certain?
Richard Bowman is regional manager, MessageLabs South Asia (now part of Symantec). Based in Singapore, he is responsible for all aspects of business development in South Asia.
