Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
The map represents the DroneDB, a database containing infected systems in Switzerland that have been active the last 48h. This database is fed by different sources, mostly DNS sinkholes operated by different organizations, where infected clients connect to instead of the real C&C servers. This data is aggregated and filtered for all Swiss IP space known to NCSC/GovCERT and then attributed to the different cantons using Geolite City of maxmind. It must be noted that the geographical representation is neither exact nor complete. The map shows a relative indication of how strong a Canton is affected by malware by dividing the number of infected devices by the population. Even though this is far from perfect it is the best thing we have currently as we do not have any numbers about Internet connectivity per Canton. Another limiting point is the fact that one IP may represent one to many infected devices if it is a proxy server or a NAT device hiding various infections. It is important to note that these numbers just show the tip of the iceberg, as our database only contains data from sinkholed Command and Control servers.
Action recommended: NCSC/GovCERT provides the list of infected system per AS (Autonomous System) to different ISPs. Any operator of a network owning its own AS may get this list in order to inform the affected customers within his own network boundary. The goal must be to reduce the number of infected systems, as well as the duration of an infection. GovCERT provides timely information about infections and the ISPs need to inform their customers. For doing so they need to have adequate abuse- and helpdesk resources. This information must be done by the respective ISPs as GovCERT has no information about who uses which IP at a given time.
Back to top