June 2nd, 2008

Debunking yet another bogus malware study

Posted by Ed Bott @ 2:05 pm

Categories: Security

Tags: Adware, OECD, Malware, Computer, Badware, Spyware, Adware & Malware, Cyberthreats, Spyware, Productivity, Viruses And Worms

Here we go again, with yet another round of bogus reporting about the extent of malware infections in the United States. This morning I read a report by Nick Farrell of The Inquirer, which was accompanied by the screamer headline One in Four US computers infected. It links in turn to a much longer story in the Sydney Morning Herald, headlined A quarter of US PCs infected with malware: OECD. Here’s the lede from that story:

An OECD study into online crime says that increased activity by cyber criminals has left an estimated one-in-four US computers infected with malware.

And a bit later in the story the reporter shows his math:

“It is estimated that 59 million users in the US have spyware or other types of malware on their computers,” the OECD report said.

According to Nielsen/Netratings, the US internet population stood at an estimated 216 million at the end of 2007.

NewScientistTech (UK) swallowed the story. So did the AFP wire service. In every single one of the press reports I’ve referenced, the discussion quickly turns to zombies and botnets and Trojans and keyloggers.

[Update 3-June: In the credit-where-credit-is-due department, Joel Hruska at Ars Technica deserves props for an excellent report on the OECD study that captures its good work and completely ignores the bogus statistics. I highly recommend reading his post, OECD on malware: it's all about the economics.]

[Update 9-June: The OECD has added the following note to the introduction of its report:

The OECD report is wrong to use these numbers, and the reporters who wrote these stories didn’t even do any rudimentary fact-checking to see whether the statistics in question were correct. I went back to the original documents and followed the footnotes. This is literally a fourth-hand report from a three-year-old study, and the original research doesn’t support anything remotely like the conclusion that’s being reported today. It illustrates what is so horribly, horribly wrong with our media in general and our technical press in particular.

Here’s the real story: In a study conducted three years ago, in 2005, one organization found that roughly 43% of the American computer users they surveyed had experienced at least one go-round with spyware or adware, which they defined as the kind of programs that produce pop-up ads on users’ computers. The experience had been so annoying and frustrating for the users they spoke with that 90% of them had changed their behavior dramatically, doing things that would specifically protect them from this sort of infection. From those results, this organization extrapolated that their findings at that time would have equaled 59 million computer users who were being annoyed by adware and spyware programs.

So how did we get from that old study to a screaming headline claiming those numbers indicate current infections by malicious software? It took a lot of sloppy work by a lot of people. In this post, I’ll break it down for you.

Let’s start with the report itself. Entitled Malicious Software (Malware): A Security Threat to the Internet Economy (pdf here), it is identified as a Ministerial Background Report for the Organisation for Economic Cooperation and Development (OECD) Ministerial Meeting on the Future of the Internet Economy, to be held in Seoul, South Korea on June 17-18, 2008. The report was produced by the Committee for Information, Computer and Communications Policy of the Directorate for Science, Technology and Industry, which is in turn a subgroup of the OECD.

So where does that magical 59 million number come from? You’ll find it on page 37, in the middle of a boilerplate section rattling off various statistics from around the world, to illustrate that consumers and businesses “are increasingly exposed to a new range of complex, targeted attacks that use malware to steal their personal and financial information.” The quote in question reads as follows:

Furthermore, it is estimated that 59 million users in the US have spyware or other types of malware on their computers. (106)

In the original, that “106″ is in superscript, which I can’t easily replicate in this post, so I’ve used parentheses. But anyone who’s ever prepared a term paper will recognize that it’s a footnote. Let’s follow it, shall we? At the bottom of page 37 is this not-so-helpful citation:

106 Brendler, Beau (2007) p. 4.

A perusal of the endnotes finds the full source of this citation:

Brendler, Beau; “Spyware/Malware Impact on Consumers”; APEC-OECD Malware Workshop; April 2007 (Source: StopBadware Project); available online at: http://www.oecd.org/dataoecd/33/55/38652920.pdf (last accessed 13 December 2007).

So, well over a year ago, in April 2007, the group that produced the OECD report invited an American expert to give them a briefing on the extent of malicious software. Page 4 of his PowerPoint presentation includes this sentence:

59 million Americans have spyware or other malicious badware on their computers. (Source: StopBadware Project).

“Badware”? What the hell is that? Well, for starters, it includes a lot more than Trojans, rootkits, and viruses. According to the Stop Badware Project’s own definition:

What is badware?
There are several commonly recognized terms for specific kinds of badware - spyware, malware, and deceptive adware. Badware is malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads. If your every move online is checked by a pop-up ad, it’s highly likely that you, like 59 million Americans, have spyware or other malicious badware on your computer.

In fact, software doesn’t have to be malicious to be labeled “badware” by the self-appointed sheriffs of the StopBadware Project. Last month, the organization was prepared to apply the label to Apple’s Safari browser for Windows. From the StopBadware Project blog:

A few weeks ago, the blogosphere raised concerns about the Windows version of Apple Software Update for offering new software installations (e.g., Safari) disguised as product updates. At the time, we blogged about it and said we were looking into it. It turns out that we were prepared to release an alert today identifying the product as badware. I’m glad to report, however, that we don’t have to, as Apple yesterday released an updated version that addresses the concerns that bloggers and StopBadware.org raised with them.

And how about that 59 million number? It turns out that it doesn’t even come from the StopBadware project itself. The source is actually …

Continue reading on next page –>

Pages: 1 2