The ACMA

AISI malware statistics

Each day the ACMA reports observations of 'malicious software' (malware) to AISI members. The ACMA also provides daily reports of 'open services', 'vulnerable services', and 'other' cyber security observations to these members. Statistics related to these cyber security categories can be found at these links:

AISI Open Services statistics AISI Vulnerable Services statistics Other AISI cyber security observations

For the latest AISI and malware alerts, subscribe to the ACMA's Cybersecurity ebulletin.

The AISI data is updated daily, identifies the date the malware was observed and is based on Coordinated Universal Time (UTC).

 

To observe the trends in reports for an individual type or comparison between similar types, simply ‘de-select’ one or on all types that you do not wish to compare to. Each dataset can also be downloaded as a .csv file - Daily (malware observations or Observations by malware family).

Help in interpreting the AISI data

Often there are multiple observations for an individual IP address in this data, including multiple observations under different categories. This multiple IP address data has been largely removed from the data in the charts.

On any given day, the ‘AISI Daily Malware Observations’ chart only contains single instances of an IP address, while the ‘AISI Daily Observations per Malware Family’ chart contains only single instances of an IP address per malware ‘family’. If there are observations of incidents related to multiple families, however, that IP address will be represented once for each family in this data. A consequence of this approach is that the daily total of all observations for the ‘AISI Daily Malware Observations’ chart will be greater than or equal to the daily total recorded for the ‘AISI Daily Observations per Malware Family’ chart.

If there are observations relating to multiple categories on a given day for a given IP address, that IP address will be represented once in each category i.e. if an IP address has been observed as having malware as well as a vulnerable service, this address will be reported in multiple report categories. 

Some related observations about IP address information are that:

  • a service utilizing a ‘dynamic’ IP address (such as a home router) may be represented more than once in the data over a 24-hour period if that 'dynamic' IP has changed during that period.
  • the number of computing devices associated with a given IP address can vary widely, from only one for some residential services to thousands of devices on corporate networks.

A note about data variability

Caution should be applied when interpreting the charts, as their data contains a set of constantly changing variables. In particular, the absence of data for a given day or week does not necessarily indicate a given compromise threat has diminished, as other factors may have led to data becoming unavailable. Some of the key variable factors are changing data sources and the emergence of new compromise types.

Brief description of malware and cyber security types

The following descriptions provide brief information associated with the most commonly observed malware types, including those identified in the charts. Most malware types will be capable of performing a variety of malicious activities and have multiple variants.

Type  Description
Malware: Marcher

This type identifies Android devices that have been compromised by Marcher malware applications. These applications can steal banking and other financial credentials by substituting genuine authentication fields within banking apps on the Android device with its own fake fields. These credentials are then recorded and sent to malicious actors. Marcher malware is generally installed through software obtained from untrusted sources, and not from trusted sources such as Google Play.

Malware: XcodeGhost

This type identifies Apple iOS devices which have apps compiled using a malicious copy of Xcode. These infected apps enabled user data to be obtained from the device and sent to malicious actors. Infected users should delete the app and change their Apple/iCloud password.

Malware: IRC Bot

This category refers to observations of interactions with an IRC (Internet Relay Chat) botnet command and control server associated with a malware infection. The specific type of malware initiating the interaction may not be known.

Malware: Simda

Simda is malware whose primary function is to facilitate the installation of other malware. If a computing device is infected with Simda it is highly likely to be infected with other malware. Simda is distributed via browser exploit kits on compromised websites.

Malware: ZeroAccess

ZeroAccess is designed for the primary purposes of 'click fraud' and 'Bitcoin mining'. It utilises a rootkit, is often installed by web browser exploits and may have been downloaded by other malware already residing on the computer.

Malware: njRAT

Apart from enabling control of an infected device, njRAT can log keystrokes, download and execute files, provide remote desktop access, steal application credentials and access the infected device’s camera and microphone. One njRAT variant can also detect whether a removable storage device such as a USB drive is connected to a computing device. If so, it will attempt to copy itself to the device in the hope of spreading to more devices.

Malware: Conficker

Among other things, Conficker can disable important services on a computer, leaving it vulnerable to other malware. Internet users with Conficker infections are very likely to have other malware infections of a more serious nature.

Malware: Zeus

Zeus is a banking trojan that enables the attacker to modify internet banking transactions.

Malware: Tinba

Tinba, an abbreviation of 'Tiny Banker', uses 'man-in-the-browser' techniques to steal online banking credentials. It uses sophisticated techniques to send these details back to the botherders.

Malware: Torpig

The Torpig family is used to steal passwords and other credentials, such as for online banking, via 'man-in-the-browser' attacks. It is typically accompanied and protected by Mebroot, which is a 'bootkit' used to protect malware (such as Torpig) from detection by anti-virus software, or even tools in the operating system itself.

Malware: Asprox

Asprox is used to send spam, steal login credentials stored on the infected computer, and install other malware, such as fake anti-virus software. It typically infects computers via a 'drive-by download' from compromised websites, installing an ‘.exe’ file which downloads and then injects .dll components into running svchost.exe processes. This malware uses constantly changing lists of HTTP command and control centres (C&Cs) to update its code.

Malware: Bedep

Bedep is malware whose primary function is to collect details about a compromised computing device that facilitates the installation of other malware on that device. Accordingly, a device infected with Bedep is highly likely to be infected with other malware. Bedep is distributed via browser exploit kits on compromised websites.

Malware: Other

Other malware types not included in the charts.

The most appropriate actions to remove the malware and restore the computing device to correct operation will depend on the type and variant, as well as the operating system version and software utilised by the infected internet user. For further information on how to protect yourself online, we recommend that you visit Stay Smart Online.

We welcome any feedback on these charts. If you have any comments please send an email to aisi@acma.gov.au.

Back to top