Data is based on Coordinated Universal Time (UTC).
To compare between types, simply ‘de-select’ one or all types that you do not wish to compare. Each dataset can also be downloaded daily as a .csv file (malware observations or observations by malware family).
How to interpret AISI data
There are a number of caveats to note when interpreting this data.
Often there are multiple observations for an individual IP address, including multiple observations under different categories. This multiple IP address data has been largely removed from the data in the charts.
On any given day, the ‘AISI Daily Malware Observations’ chart only contains single instances of an IP address, while the ‘AISI Daily Observations per Malware Family’ chart contains only single instances of an IP address per malware ‘family’.
If there are observations of incidents related to multiple families that IP address will be represented once for each family in this data. This means that the daily total of all observations for the ‘AISI Daily Malware Observations’ chart will be greater than or equal to the daily total recorded for the ‘AISI Daily Observations per Malware Family’ chart.
If there are observations relating to multiple categories on a given day for a given IP address, that IP address will be represented once in each category. So if an IP address has been observed as having malware as well as a vulnerable service, this address will be reported in multiple categories.
In addition, the following observations should be noted:
- A service utilising a ‘dynamic’ IP address (such as a home router) may be represented more than once in the data over a 24-hour period if that ‘dynamic’ IP has changed during that period.
- The number of computing devices associated with a given IP address can vary widely, from only one for some residential services to thousands of devices on corporate networks.
A note about data variability
Caution should be applied when interpreting the charts, as their data contains a set of constantly changing variables. In particular, the absence of data for a given day or week does not necessarily indicate a given compromise threat has diminished, as other factors may have led to data becoming unavailable. Some factors are changing data sources and the emergence of new compromise types.
The following descriptions provide brief information associated with the most commonly observed malware types, including those identified in the charts. Most malware types are capable of performing a variety of malicious activities and may have multiple variants.
Andromeda is modular and multipurpose malware that is often used to install other malware. It is used to harvest credentials from an infected device and undertake other malicious activities.
Among other things, Conficker can disable important services on a computer, leaving it vulnerable to further compromise. Users with Conficker infections are very likely to have other malware infections of a more serious nature.
Data recorded as ‘generic bot’ is where we have reliable malware indicators, but at the time of the reporting are unable to attribute the malware to a specific malware family.
This type identifies Android devices that have been compromised by Marcher malware applications. These applications can steal banking and other financial credentials by substituting genuine authentication fields within banking apps on the Android device with its own fake fields. These credentials are then recorded and sent to malicious actors. Marcher malware is generally installed through software obtained from untrusted sources, and not from trusted sources such as Google Play.
Mirai is a trojan that targets Internet of Things (IoT) devices – such as routers, webcams, printers and digital video recorders – that are ‘open’ to the internet and use weak or default passwords. Once a device is infected it can be used for many tasks, including Distributed Denial of Service (DDoS) attacks.
Apart from enabling control of an infected device, njRAT can log keystrokes, download and execute files, provide remote desktop access, steal application credentials and access the infected device’s camera and microphone. One njRAT variant can also detect whether a removable storage device such as a USB drive is connected to a computing device. If so, it attempts to copy itself to the device in the hope of spreading to more devices.
Other malware types not included in the charts.
Ramnit is known to evade firewalls and other detection mechanisms by injecting itself into running processes, such as svchost.exe and iexplore.exe. It may modify the registry to ensure that it starts on boot. It uses a custom protocol on TCP port 443 for C&C.
Rovnix is predominantly a banking trojan that can be used to steal credentials and allow remote ‘backdoor’ access to your computer. It may be difficult to detect due to its stealth capabilities.
Sphinx is another Zeus-based banking trojan variant that enables the attacker to modify internet banking and payment services.
ZeroAccess is designed for the primary purposes of ‘click fraud’ and ‘Bitcoin mining’. It utilises a rootkit in order to hide on the affected computer, is often installed by web browser exploits and may have been downloaded by other malware already on the computer.
Zeus is a banking trojan that enables the attacker to modify internet banking transactions.
Where to get help
The right actions to take to remove malware and restore the affected device will depend on the type and variant of malware detected, as well as the operating system version and software installed.
We welcome any feedback on these charts, please contact us at firstname.lastname@example.org.