Malware Statistics

About the data

These statistics originate from the DroneDB, a database containing infected systems in Switzerland that have been active the last 10 days. This database is fed by different sources, mostly DNS sinkholes operated by different organizations, where infected clients connect to instead of the real C&C servers. This data is aggregated and filtered for all Swiss IP space known to NCSC/GovCERT. The different malware families are sometimes hard to distinguish as there does not exist any international naming schema. It is important to note that these numbers just show the tip of the iceberg, as our database only contains data from sinkholed Command and Control servers.

NCSC/GovCERT provides the list of infected system per AS (Autonomous System) to different ISPs. Any operator of a network owning its own AS may get this list in order to inform the affected customers within his own network boundary. The goal must be to reduce the number of infected systems, as well as the duration of an infection. GovCERT provides timely information about infections and the ISPs need to inform their customers. For doing so they need to have adequate abuse- and helpdesk resources. This information must be done by the respective ISPs as GovCERT has no information about who uses which IP at a given time.

Back to top