Congratulations Iceland!


Iceland had the fourth lowest infection rate of the period following a long period of improvement. - Microsoft Security Intelligence Report, Volume 14, p. 41.

We, as well as CERT Finland and F-Secure have been spreading the word of Mostly harmless Finland for a while now. It is time to start looking at the results in other countries, who have adopted the Finnish feeder-proxy-cleaner model. Microsoft Security Intelligence Report provides interesting data about the infection rates in different countries. The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide.

Depressing Starting Point


Picture: Malice is among us.

World is full of abuse. Are we beyond hope?

SIR data plotted

It's a Journey, Not a Destination - we can't get rid of all the malice, but seems that we are going to the right direction and with a nice speed.

The graph below represents few countries, who have adopted the feeder-proxy-cleaner model. Please note the significant drop in Iceland, one of the countries who adopted the model around 2011. The graph contains also world-wide average for comparison.

For comparison, lets have a look at some South American countries. Please notice that the scale is a bit different from the previous graph.

What We See

The data is based on public sources. Adding few non-public sources, such as ShadowServer, one would get 10-100x more events for analysis. And the data surprisingly rarely overlaps.

The visualization shows the number of unique IPs in the reports, compared to geoip country code and type of malicious activity. Time window is 7 days.

Picture: Where are your bots, Iceland?

Few Example South American Countries

During the past 7 days, South America has had a wider variety of malicious activity types. Furthermore, issues come in greater numbers.


Picture: Bots like to live in sunny South America.

Once the country has a good process for fire department work, all sorts of other benefits start to emerge. For example the country is better prepared for a more large scale issues. See DNSChanger blog entry for an example.

-- jani 2013-04-18 13:19:57

“Time flies like an arrow; fruit flies like a banana.” -- Groucho Marx


Staying on top of the current Internet abuse situation mandates that you follow your sources as close to real time as possible. On the left you can see a spanking new ZeuS binary, which has been observed by a source on 2012-10-01. They do not report the actual time of their observation, only a date, which is why we record an accurate timestamp for each observation we make. This is recorded as an observation time for our abuse tracking system. Since time is an important asset not to be wasted, we can stream the data real-time to the endpoint recipient. We don't want to sit on top of it or mull over it, rather than package the observation with additional observations through automatic augmentation. This action in turn is recorded as attribution time. Some sources are meticulous about time and they do inform you about the exact time of their observations, which we record as source time. Since time is a difficult thing to handle properly we have adopted a ISO8601:ish time format of YYYY-MM-DD HH:MM:SS UTC.


ZeroAccess, anyone?

Following the times of course gives you the opportunity, or challenge, of evolving the sources you follow to suit the need. For a while I've seen everybody hyping about the ZeroAccess malware and producing map views detailing infections. I knew we have some observations on the issue from the public sources, so I dug up the AbuseHelper source bot data and modified the bot to classify the findings with this evolved threat. On the left, you can see the latest 1 hour worth of sightings of ZeroAccess infections by this single source. So in essence, knowing your sources and what they provide is the key to gaining Abuse Situation Awareness in a timely manner.

I would like to exploit this opportunity and thank two of the numerous public sources, which AbuseHelper uses to gather information about abuse, namely and AutoShun. Without their efforts, the anti-abuse work of many a CSIRT team would be much more difficult.

-- ?svimes 2012-10-01 09:58:21

Past Topics

check out the archive ...