Australia’s zombie infections doubled in 2011

Is iCode failing to deliver results?

Despite near ubiquitous support by Australian ISPs for the anti-zombie iCode and major botnet take downs last year, Australian botnet infections doubled over the second half of 2011.

A copy of Australian Media and Communications Authority (ACMA) figures obtained by shows there were 20,873 bot infections each day in Australia by late November, up from 11,650 just five months prior.

Until August 2011 the number of infections in Australia had steadily declined from an average in 2010-2011 of 16,464 per day, seeming to show that iCode, which commenced in December 2010, was having its desired effect.

However, in late October 2011 bot infections shot up to over 15,000 and then another 5,000 by the last week of November, reaching the highest number since ACMA began collecting data in 2008.

The ACMA’s e-security operations manager Bruce Matthews, who runs ACMA’s Australian Internet Security Initiative (AISA) which is responsible for notifying iCode participants of customer infections, confirmed to there had been a rise in infections between July 2011 and November-December 2011, but that it was “largely” due to it including DNSChanger trojan infections in its count.

“As illustrated by the recent introduction of the DNSChanger Trojan data into the AISI, the data that feeds into the AISI reports is constantly changing so it is difficult to undertake trend analysis over time, and particularly to form conclusions about data trends over short periods of time, such as on a month by month basis,” said Matthews in an email.

He insists that since December the number of malware reports it is sending ISPs has returned to about 16,500 per day, or the average for the 2010-2011 period, which is still substantially more than July 2011.

The code, championed by the Internet Industry Association (IIA), involves AISA supplying suspected infected IP addresses to ISPs, which then may notify their customer and, in the worst cases, contain the connection in a ‘walled garden’ until the malware is removed.

The failure of iCode to halve infections was one reason Alan Paller, research director of the US security organisation, the SANS Institute, which runs the Storm Internet Center early warning system, last year advised the US Department of Commerce not to implement a similar voluntary code there.

In an interview with, Paller explained the other reasons were that Commerce was planning not to publish the performance of each ISP - a feature also lacking from the Australian model and one which the iCode’s architect, former IIA CEO Peter Coroneos, has said would be put on the table in this year’s iCode revision.

"The way the US was planning to do it was to follow the lead of Australia with no counting. And if you don't count, how can you know if there is success? So the iCode is a failure if it doesn't count reliably," says Paller.

The way Australia introduced the program, by packaging it in a way that presents the ISP as helping customers, was “very cool”, according to Paller, but keeping the data under wraps offers no incentive for ISPs in the program to reduce malware. It’s a message he says he’s relayed to Australia’s Attorney General’s Department.

"The way [Australia] went around it is very good, and it's about a third of the way where it needs to be; the other two thirds are reliable data and publishing the data," he said.

The fluctuations and difficulties in interpreting trends over time that ACMA’s Matthews noted is part of the problem with the iCode as it is, according to Paller. Including new trojans in AISA’s data feeds might have caused the sudden uptick, but any fall in infections since the iCode's inception could just as likely have been the result of under-counting.

"That’s why I say [Australia] is a third of the way there," says Paller. "The data that [ACMA] has is pretty darn good, but it is not reliable in the sense that it doesn't measure it across all [ISPs] and it doesn't measure the same way every day. So part of the change is a change in measurement, and part of it is differences in way ISPs report, so there's a little unreliability there.

“And the second thing is that no body's going to make it public by ISP. That’s what I asked the Attorney General’s office to do. I said, ‘Make it public. You’ve got something that will move them."

According to Matthews the ACMA will begin publishing regular updates in the first half of 2012, which would be a move in the direction of Paller’s suggestions, but if it comes in the form and quality ACMA currently has, it won’t be good enough, says Paller.

On the other hand, making the data public by ISP in order to create the right incentives, might also dampen enthusiasm to join a voluntary scheme, and appears to be a factor behind the US's attempts to get such a program off the ground.

"[Commerce] were going to collect data, but they were all for voluntary. Remember we're in the middle of an election, and the President has been taking a lot of heat for not being nice to business," says Paller.

But without the numbers being published, he says it’s not worth pursuing.

"[The government] can have a hands-off relationship but publicly display the numbers - publish the numbers on the Sunday of every week and show how well they are doing in protecting their users."

Coroneos, who also admitted data was a problem, has defended Australia’s program, arguing Paller's expectation to halve bot infections were "unrealistic given the nature of the problem".

He also claimed that 20 per cent of Australian recipients failed to act on a notification and that the only way to improve this would be through a massive funding boost.

Paller doesn’t buy this argument, contending that if performance data is published, ISPs would do a lot more to ensure customer infections are remediated.

"If everyone had accountability, you could do five times as much with no pain," said Paller.

"Whether you make it voluntary or not, if you publish the data on the guys that aren't doing it, you'll make voluntary work better."

Join the CSO newsletter!

Error: Please check your email address.

More about AISAIIAInternet Industry AssociationSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place