Despite near ubiquitous support by Australian ISPs for the anti-zombie iCode and major botnet take downs last year, Australian botnet infections doubled over the second half of 2011.A copy of Australian Media and Communications Authority (ACMA) figures obtained by CSO.com.au shows there were 20,873 bot infections each day in Australia by late November, up from 11,650 just five months prior.Until August 2011 the number of infections in Australia had steadily declined from an average in 2010-2011 of 16,464 per day, seeming to show that iCode, which commenced in December 2010, was having its desired effect.However, in late October 2011 bot infections shot up to over 15,000 and then another 5,000 by the last week of November, reaching the highest number since ACMA began collecting data in 2008.The ACMA\u2019s e-security operations manager Bruce Matthews, who runs ACMA\u2019s Australian Internet Security Initiative (AISA) which is responsible for notifying iCode participants of customer infections, confirmed to CSO.com.au there had been a rise in infections between July 2011 and November-December 2011, but that it was \u201clargely\u201d due to it including DNSChanger trojan infections in its count.\u201cAs illustrated by the recent introduction of the DNSChanger Trojan data into the AISI, the data that feeds into the AISI reports is constantly changing so it is difficult to undertake trend analysis over time, and particularly to form conclusions about data trends over short periods of time, such as on a month by month basis,\u201d said Matthews in an email.He insists that since December the number of malware reports it is sending ISPs has returned to about 16,500 per day, or the average for the 2010-2011 period, which is still substantially more than July 2011.The code, championed by the Internet Industry Association (IIA), involves AISA supplying suspected infected IP addresses to ISPs, which then may notify their customer and, in the worst cases, contain the connection in a \u2018walled garden\u2019 until the malware is removed.The failure of iCode to halve infections was one reason Alan Paller, research director of the US security organisation, the SANS Institute, which runs the Storm Internet Center early warning system, last year advised the US Department of Commerce not to implement a similar voluntary code there.In an interview with CSO.com.au, Paller explained the other reasons were that Commerce was planning not to publish the performance of each ISP - a feature also lacking from the Australian model and one which the iCode\u2019s architect, former IIA CEO Peter Coroneos, has said would be put on the table in this year\u2019s iCode revision."The way the US was planning to do it was to follow the lead of Australia with no counting. And if you don't count, how can you know if there is success? So the iCode is a failure if it doesn't count reliably," says Paller.The way Australia introduced the program, by packaging it in a way that presents the ISP as helping customers, was \u201cvery cool\u201d, according to Paller, but keeping the data under wraps offers no incentive for ISPs in the program to reduce malware. It\u2019s a message he says he\u2019s relayed to Australia\u2019s Attorney General\u2019s Department."The way [Australia] went around it is very good, and it's about a third of the way where it needs to be; the other two thirds are reliable data and publishing the data," he said.The fluctuations and difficulties in interpreting trends over time that ACMA\u2019s Matthews noted is part of the problem with the iCode as it is, according to Paller. Including new trojans in AISA\u2019s data feeds might have caused the sudden uptick, but any fall in infections since the iCode's inception could just as likely have been the result of under-counting."That\u2019s why I say [Australia] is a third of the way there," says Paller. "The data that [ACMA] has is pretty darn good, but it is not reliable in the sense that it doesn't measure it across all [ISPs] and it doesn't measure the same way every day. So part of the change is a change in measurement, and part of it is differences in way ISPs report, so there's a little unreliability there.\u201cAnd the second thing is that no body's going to make it public by ISP. That\u2019s what I asked the Attorney General\u2019s office to do. I said, \u2018Make it public. You\u2019ve got something that will move them."According to Matthews the ACMA will begin publishing regular updates in the first half of 2012, which would be a move in the direction of Paller\u2019s suggestions, but if it comes in the form and quality ACMA currently has, it won\u2019t be good enough, says Paller.On the other hand, making the data public by ISP in order to create the right incentives, might also dampen enthusiasm to join a voluntary scheme, and appears to be a factor behind the US's attempts to get such a program off the ground."[Commerce] were going to collect data, but they were all for voluntary. Remember we're in the middle of an election, and the President has been taking a lot of heat for not being nice to business," says Paller.But without the numbers being published, he says it\u2019s not worth pursuing."[The government] can have a hands-off relationship but publicly display the numbers - publish the numbers on the Sunday of every week and show how well they are doing in protecting their users."Coroneos, who also admitted data was a problem, has defended Australia\u2019s program, arguing Paller's expectation to halve bot infections were "unrealistic given the nature of the problem".He also claimed that 20 per cent of Australian recipients failed to act on a notification and that the only way to improve this would be through a massive funding boost.Paller doesn\u2019t buy this argument, contending that if performance data is published, ISPs would do a lot more to ensure customer infections are remediated."If everyone had accountability, you could do five times as much with no pain," said Paller."Whether you make it voluntary or not, if you publish the data on the guys that aren't doing it, you'll make voluntary work better."