Australia’s zombie infections doubled in 2011

Despite near ubiquitous support by Australian ISPs for the anti-zombie iCode and major botnet take downs last year, Australian botnet infections doubled over the second half of 2011.

A copy of Australian Media and Communications Authority (ACMA) figures obtained by CSO.com.au shows there were 20,873 bot infections each day in Australia by late November, up from 11,650 just five months prior.

Until August 2011 the number of infections in Australia had steadily declined from an average in 2010-2011 of 16,464 per day, seeming to show that iCode, which commenced in December 2010, was having its desired effect.

However, in late October 2011 bot infections shot up to over 15,000 and then another 5,000 by the last week of November, reaching the highest number since ACMA began collecting data in 2008.

The ACMA’s e-security operations manager Bruce Matthews, who runs ACMA’s Australian Internet Security Initiative (AISA) which is responsible for notifying iCode participants of customer infections, confirmed to CSO.com.au there had been a rise in infections between July 2011 and November-December 2011, but that it was “largely” due to it including DNSChanger trojan infections in its count.

“As illustrated by the recent introduction of the DNSChanger Trojan data into the AISI, the data that feeds into the AISI reports is constantly changing so it is difficult to undertake trend analysis over time, and particularly to form conclusions about data trends over short periods of time, such as on a month by month basis,” said Matthews in an email.

He insists that since December the number of malware reports it is sending ISPs has returned to about 16,500 per day, or the average for the 2010-2011 period, which is still substantially more than July 2011.

The code, championed by the Internet Industry Association (IIA), involves AISA supplying suspected infected IP addresses to ISPs, which then may notify their customer and, in the worst cases, contain the connection in a ‘walled garden’ until the malware is removed.

The failure of iCode to halve infections was one reason Alan Paller, research director of the US security organisation, the SANS Institute, which runs the Storm Internet Center early warning system, last year advised the US Department of Commerce not to implement a similar voluntary code there.

In an interview with CSO.com.au, Paller explained the other reasons were that Commerce was planning not to publish the performance of each ISP – a feature also lacking from the Australian model and one which the iCode’s architect, former IIA CEO Peter Coroneos, has said would be put on the table in this year’s iCode revision.

“The way the US was planning to do it was to follow the lead of Australia with no counting. And if you don’t count, how can you know if there is success? So the iCode is a failure if it doesn’t count reliably,” says Paller.

The way Australia introduced the program, by packaging it in a way that presents the ISP as helping customers, was “very cool”, according to Paller, but keeping the data under wraps offers no incentive for ISPs in the program to reduce malware. It’s a message he says he’s relayed to Australia’s Attorney General’s Department.

“The way [Australia] went around it is very good, and it’s about a third of the way where it needs to be; the other two thirds are reliable data and publishing the data,” he said.

The fluctuations and difficulties in interpreting trends over time that ACMA’s Matthews noted is part of the problem with the iCode as it is, according to Paller. Including new trojans in AISA’s data feeds might have caused the sudden uptick, but any fall in infections since the iCode’s inception could just as likely have been the result of under-counting.

“That’s why I say [Australia] is a third of the way there,” says Paller. “The data that [ACMA] has is pretty darn good, but it is not reliable in the sense that it doesn’t measure it across all [ISPs] and it doesn’t measure the same way every day. So part of the change is a change in measurement, and part of it is differences in way ISPs report, so there’s a little unreliability there.

“And the second thing is that no body’s going to make it public by ISP. That’s what I asked the Attorney General’s office to do. I said, ‘Make it public. You’ve got something that will move them.”

According to Matthews the ACMA will begin publishing regular updates in the first half of 2012, which would be a move in the direction of Paller’s suggestions, but if it comes in the form and quality ACMA currently has, it won’t be good enough, says Paller.

On the other hand, making the data public by ISP in order to create the right incentives, might also dampen enthusiasm to join a voluntary scheme, and appears to be a factor behind the US’s attempts to get such a program off the ground.

“[Commerce] were going to collect data, but they were all for voluntary. Remember we’re in the middle of an election, and the President has been taking a lot of heat for not being nice to business,” says Paller.

But without the numbers being published, he says it’s not worth pursuing.

“[The government] can have a hands-off relationship but publicly display the numbers – publish the numbers on the Sunday of every week and show how well they are doing in protecting their users.”

Coroneos, who also admitted data was a problem, has defended Australia’s program, arguing Paller’s expectation to halve bot infections were “unrealistic given the nature of the problem”.

He also claimed that 20 per cent of Australian recipients failed to act on a notification and that the only way to improve this would be through a massive funding boost.

Paller doesn’t buy this argument, contending that if performance data is published, ISPs would do a lot more to ensure customer infections are remediated.

“If everyone had accountability, you could do five times as much with no pain,” said Paller.

“Whether you make it voluntary or not, if you publish the data on the guys that aren’t doing it, you’ll make voluntary work better.”