ACMA database keeps finger on Australia’s malware pulse

Australian ISPs and universities are sending more than 10,000 emails a day to warn customers their systems appear to be infected by malware – but as few as one in five is ever read by its recipient, statistics from the Australian Communications and Media Authority’s (ACMA’s) Australian Internet Security Initiative (AISI) show.

Developed as part of ACMA’s statutory enforcement of the Spam Act 2003 and as an adjunct to the Internet Industry Association of Australia’s iCode code of conduct, AISI is an ACMA-managed initiative involves the provision of data to over 130 participants – ISPs, universities and others operating a range of fixed IP addresses – who also get data from the likes of Microsoft, the Complete Blocking List, ShadowServer, and other sources public and private.

The system has been built and is maintained in house by a team of four developers whose brief also includes ACMA’s Spam Intelligence Database (SID), which currently contains over 100 million spam messages – half of which were reported directly by members of the Australian public.

“There are other similar initiatives around the world,” says Bruce Matthews, manager of the e-Security Operations Section within ACMA’s Unsolicited Communications Branch, told CSO Australia. “But we don’t believe that any regulator has such a powerful database to assist in spam enforcement, and to assist in producing data for an anti-botnet program as we have done.”

“We feed information on spam-sending, bot-infected Australian IP addresses directly into the AISI, and provide detailed daily reports that let participants see and compare the number of infections they’ve received with the aggregate amount of infections and any information of note in relation to infection trends on their own networks.”

To coincide with the government-backed National Cybersecurity Awareness Week, ACMA has today launched a new-look Web site for AISI, through which detailed analyses of ongoing activities are available through a range of views. Trending information over 90 days is available, with analysis of the top-trending infection families at any given time.

Statistics are updated on a daily basis, and released online through the AISI portal within one or two hours of being sent to AISI participants. One recent day saw 15,254 reports of possible botnet infections sent to member ISPs and other AISI participants; this information is then used to generate warning notices that are sent to subscribers – although reports from some ISPs suggest that as many as 80% of notices go unread.

“Most ISPs have processes for escalating reports,” Matthews says. “If a particular IP is continually appearing, they’ve got the option of putting customers into walled gardens so they can’t get access to the internet until they request access and deal with the infection. There are various escalation processes followed by ISPs in accordance with their own requirements.”

Regular flux in the number of reports, and their nature, allows ACMA to track infection trends for fast-spreading malware, and to help participants pinpoint their efforts to fight the infections. Last year’s DNSChanger outbreak, for example, was flagged quickly and kicked off an aggressive ACMA campaign – in conjunction with CERT Australia and the Department of Broadband, Communications and the Digital Economy (DBCDE) – to support successful global efforts to limit the malware’s scope.

An ACMA-run site, through which users could check if they were infected with DNSChanger, received more than 1.65m unique visitors and 6.7m hits total. Fully 1.1m of those visitors hit the site in the four days before the DNSChanger botnet was disabled, on 9 July 2012.

For more than two-thirds of AISI’s industry participants, regular malware reports are the only source of malware data – so ACMA is particularly cautious about ensuring the data is free from false-positives.

“We get a lot of data that we don’t report,” Matthews says. “We need to be very confident in the accuracy of the data if we’re going to send that data to an ISP, and that ISP is going to use that information to contact their customers. We reject any sign that is a false positive. There is a whole lot of work involved in the whole process.”

Follow-up surveys of AISI participants have confirmed that the data is seen as reliable: one university, for example, said investigations into reported sources almost always found an infection. And most AISI participants take some form of action in response to the notices.

By working regularly to stay abreast of changing infection trends, Matthews says ACMA has been able to build a partnership model that has been fundamental to the success of AISI – which he hopes will become even more widely used through the newly revamped site.

“There aren’t too many initiatives which at such a high level have voluntary participation, and we have the vast majority of Australian ISPs participating,” he explains.

“It’s a cooperative, collaborative approach, and AISI has become a success because it’s been done very cooperatively with the industry and, in particular, ISPs. They don’t have to replicate it themselves, and would rather aggregate information than have the time of their team members taken up.”