Autoreporter

Statistics on automatic malware detection in 2006-2009

Autoreporter is a service provided by CERT-FI, which automatically compiles malware and information security incidents related to Finnish networks, and reports them to network maintainers. The service has been in use since 2006 and it covers all Finnish network areas. The statistics help assess trend in, e.g., the density of malware in Finnish networks.

This page contains statistics from 2006-2009 produced by Autoreporter. The graphs indicate that the number of computers infected by malware has decreased in Finnish networks in the long run. Finnish telecommunications operators play a key role in this development by reacting swiftly and efficiently to information security incidents brought to their knowledge.

When interpreting the graphs, one should keep in mind that several variables affect the outcome. Short term variation can, e.g., show up if Autoreporter for one reason or another is unable to retrieve incident related data from one of its data sources. The impact of new and widespread classes of malware will, however, be clearly visible when looking at statistics over the entire year.

During its life span, Autoreporter has seen several changes take place in the data sources. New trustworthy sources have been added and based on feedback from the customers, some sources providing unreliable data have either been filtered or cut off. Four years of operation does, however, provide enough statistical data to draw the conclusions that follow.

Malware incidents on the rise

It seems that the number of malware incidents with respect to the number of broadband subscriptions is dropping in the long run. Last year did, however, see a significant change as the incidents turned on the rise. One reason for this rise is the malware known as Conficker (or Downadup). The effects of Conficker’s aggressive propagation has been visualised with a gradient fill in the figure below. Conficker was first observed in Finland in the beginning of January and Autorepoter started tracking it during the same month. Conficker is known to disable automatic updates of several anti-virus products on any computer it succeeds to infect. It is thus likely, that once a computer gets infected, it will over time be infected with other malware as well.

Malware related to botnets in the lead

In 2009, incidents related to botnets of some sort counted for over half of the observations. The majority of, e.g., spam is being sent with the help of such remote-controlled networks. Although Conficker started off as a worm in the beginning of 2009 it can also be classified as botnet-related malware. The botnet created by Conficker has, however, so far not been put to any extensive use. Conficker’s aggressive ways of spreading has not gone unnoticed by Autoreporter. Almost half of all reported incidents in 2009 were caused by Conficker alone. The high rise of Conficker has also caused attempts to spread other malware and scanning of ports preceding attempted break-ins to become marginal observations.

Daily malware incidents

The graph of daily malware incidents shows individual occurrences as strong peaks. The effects of these peaks are, however, short-lasting. The white troughs clearly show those days, during which Autoreporter was unable to retrieve incident related data. The values on the y-axis represent the amount of daily reports sent out by Autoreporter.

Conficker turned up in the statistics at the end of January and it its highly likely that this malware, in a way or another, will show up in the statistics for several years to come. It seems that telecommunications operators have been able to deal with Conficker-infections rather well during the first quarter of the year. Taking into account that the version of Conficker that emerged during March no longer tries to spread itself, one must assume that some computers that did not get disinfected during the outbreak has shown up in the statistics for the entire year. In November, CERT-FI started to take action against such long lasting cases. We hope that the slight increase in incidents during December would be the result of these actions.

Related topics

Reports that list and compare information security incidents related to different networks are published from time to time. Correlating results between the different reports is difficult, e.g., because of lack of academic precision. Some conclusions can, however, be drawn. CERT-FI has collected a list of links of recently published reports. These reports compare the Finnish networks with other networks with regards to information security incidents.

• Microsoft: Security Intelligence Report (semi-annually)
• Symantec: Internet Security Threat Report (annually)
• McAfee: Mapping the Mal Web, Revisited (published 4-Jun-2008, press release)
• Shadowserver: Conficker Statistics (continuous)

Autoreporter mentioned elsewhere

• CERT/CC and FIRST: Best Practices Contest 2009