Background Print only logo
Cert logo
suomeksi | på svenska
Home Page | Advice | Reports | Activities |


P.O. Box 313
FI-00181 Helsinki
Phone: +358 295 390 230 (lnf/mcf)

PGP keys

Finnish Communications Regulatory Authority (FICORA):

Itämerenkatu 3 A
P. O. Box 313
Phone: +358 259 390 100 (lnf/mcf)

Detailed contact information

Home Page > Reports > Statistics > Autoreporter


Statistics on automatic malware detection in 2006-2011

Autoreporter is a service provided by CERT-FI, which automatically compiles malware and information security incidents related to Finnish networks, and reports them to network maintainers. The service has been in use since 2006 and it covers all Finnish network areas. The statistics help assess trend in, e.g., the density of malware in Finnish networks.

This page contains statistics from 2006-2011 produced by Autoreporter. The graphs indicate that the number of computers infected by malware has decreased in Finnish networks in the long run. Finnish telecommunications operators play a key role in this development by reacting swiftly and efficiently to information security incidents brought to their knowledge.

When interpreting the graphs, one should keep in mind that several variables affect the outcome. Short term variation can, e.g., show up if Autoreporter for one reason or another is unable to retrieve incident related data from one of its data sources. The impact of new and widespread classes of malware will, however, be clearly visible when looking at statistics over the entire year.

During its life span, Autoreporter has seen several changes take place in the data sources. New trustworthy sources have been added and based on feedback from the customers, some sources providing unreliable data have either been filtered or cut off. Six years of operation does, however, provide enough statistical data to draw the conclusions that follow.

Malware incidents continued to decline during 2011

It seems that the number of malware incidents with respect to the number of broadband subscriptions is dropping in the long run. There was, however, a significant change in 2009 as the incidents turned on the rise. One reason for this rise is the malware known as Conficker. The effects of Conficker’s aggressive propagation has been visualised with a gradient fill in the figure below. Conficker was first observed in Finland in the beginning of January 2009 and Autoreporter started tracking it during the same month. Incidents related to Conficker had a strong presence in 2011 as well.

Malware related to botnets in the lead

In 2011, incidents related to botnets of some sort counted for almost half of the observations. The majority of, e.g., spam is being sent with the help of such remote-controlled networks. Although Conficker started off as a worm in the beginning of 2009 it can also be classified as botnet-related malware. The botnet created by Conficker has, however, so far not been put to any extensive use. Conficker’s aggressive ways of spreading has not gone unnoticed by Autoreporter. Almost half of all reported incidents in 2009-2011 were caused by Conficker alone. The figures prove, that a computer infected by Conficker can be difficult to locate. The task can be especially challenging in a large corporate network. One can not rely on automatic disinfection as Conficker is known to disable the computer's automatic updates of several anti-virus products. The high rise of Conficker in 2009 has also caused attempts to spread other malware and scanning of ports preceding attempted break-ins to become marginal observations.

Malware and information security incidents by the numbers

In 2011 Autoreporter sent a total of 196.188 reports related to malware and information security incidents. In total, the reports contained 89.048 different IP-addresses. One should, however, keep in mind that the number of IP-addresses does not directly correlate to the amount of infected computers. It is, e.g., common that broadband subscriptions use IP-addresses that change from time to time (so-called dynamic addresses). In addition, it is not uncommon that several infected machines can be found behind one public IP-address of a corporation. The IP-addresses reported during 2011 are approximately plotted on the map below.

During 2011 Autoreporter emailed reports to over 80 different network operators. The average response time for all reports was 30 hour. The response time is the time it takes to report an incident once it has been detected.

Related topics

Reports that list and compare information security incidents related to different networks are published from time to time. Correlating results between the different reports is difficult, e.g., because of lack of academic precision. Some conclusions can, however, be drawn. CERT-FI has collected a list of links of recently published reports. These reports compare the Finnish networks with other networks with regards to information security incidents.

Autoreporter mentioned elsewhere

Page updated 17.07.2012   Print version Print version