ACMA database keeps finger on Australia’s malware pulse

Australian ISPs and universities are sending more than 10,000 emails a day to warn customers their systems appear to be infected by malware – but as few as one in five is ever read by its recipient, statistics from the Australian Communications and Media Authority’s (ACMA’s) Australian Internet Security Initiative (AISI) show.

Developed as part of ACMA’s statutory enforcement of the Spam Act 2003 and as an adjunct to the Internet Industry Association of Australia’s iCode code of conduct, AISI is an ACMA-managed initiative involves the provision of data to over 130 participants – ISPs, universities and others operating a range of fixed IP addresses – who also get data from the likes of Microsoft, the Complete Blocking List, ShadowServer, and other sources public and private.

The system has been built and is maintained in house by a team of four developers whose brief also includes ACMA’s Spam Intelligence Database (SID), which currently contains over 100 million spam messages – half of which were reported directly by members of the Australian public.

“There are other similar initiatives around the world,” says Bruce Matthews, manager of the e-Security Operations Section within ACMA’s Unsolicited Communications Branch, told CSO Australia. “But we don’t believe that any regulator has such a powerful database to assist in spam enforcement, and to assist in producing data for an anti-botnet program as we have done.”

“We feed information on spam-sending, bot-infected Australian IP addresses directly into the AISI, and provide detailed daily reports that let participants see and compare the number of infections they’ve received with the aggregate amount of infections and any information of note in relation to infection trends on their own networks.”

To coincide with the government-backed National Cybersecurity Awareness Week, ACMA has today launched a new-look Web site for AISI, through which detailed analyses of ongoing activities are available through a range of views. Trending information over 90 days is available, with analysis of the top-trending infection families at any given time.

Statistics are updated on a daily basis, and released online through the AISI portal within one or two hours of being sent to AISI participants. One recent day saw 15,254 reports of possible botnet infections sent to member ISPs and other AISI participants; this information is then used to generate warning notices that are sent to subscribers – although reports from some ISPs suggest that as many as 80% of notices go unread.

“Most ISPs have processes for escalating reports,” Matthews says. “If a particular IP is continually appearing, they’ve got the option of putting customers into walled gardens so they can’t get access to the internet until they request access and deal with the infection. There are various escalation processes followed by ISPs in accordance with their own requirements.”

Regular flux in the number of reports, and their nature, allows ACMA to track infection trends for fast-spreading malware, and to help participants pinpoint their efforts to fight the infections. Last year’s DNSChanger outbreak, for example, was flagged quickly and kicked off an aggressive ACMA campaign – in conjunction with CERT Australia and the Department of Broadband, Communications and the Digital Economy (DBCDE) – to support successful global efforts to limit the malware’s scope.

An ACMA-run site, through which users could check if they were infected with DNSChanger, received more than 1.65m unique visitors and 6.7m hits total. Fully 1.1m of those visitors hit the site in the four days before the DNSChanger botnet was disabled, on 9 July 2012.

For more than two-thirds of AISI’s industry participants, regular malware reports are the only source of malware data – so ACMA is particularly cautious about ensuring the data is free from false-positives.

“We get a lot of data that we don’t report,” Matthews says. “We need to be very confident in the accuracy of the data if we’re going to send that data to an ISP, and that ISP is going to use that information to contact their customers. We reject any sign that is a false positive. There is a whole lot of work involved in the whole process.”

Follow-up surveys of AISI participants have confirmed that the data is seen as reliable: one university, for example, said investigations into reported sources almost always found an infection. And most AISI participants take some form of action in response to the notices.

By working regularly to stay abreast of changing infection trends, Matthews says ACMA has been able to build a partnership model that has been fundamental to the success of AISI – which he hopes will become even more widely used through the newly revamped site.

“There aren’t too many initiatives which at such a high level have voluntary participation, and we have the vast majority of Australian ISPs participating,” he explains.

“It’s a cooperative, collaborative approach, and AISI has become a success because it’s been done very cooperatively with the industry and, in particular, ISPs. They don’t have to replicate it themselves, and would rather aggregate information than have the time of their team members taken up.”

Join the CSO newsletter!

Error: Please check your email address.

Tags ACMAmalware

More about CERT AustraliaCSOe-SecurityInternet Industry AssociationMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts