SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

Reducing malware infections in Switzerland

SWITCH helps reducing malware infections in Switzerland by a factor of four!

Malware is a big issue in Switzerland too. It comes in many flavours, there is malware which tries to get at your bank account, there is malware, that converts your PC in to a spam machine, the list could be extended.

Last we reported how we remedy websites that distribute this malware. But websites are not the only source of malware. Top on the list are also e-Mail attachments, supposedly originating from Lotteries, Postal offices and so on.

Many internet users get infected, worldwide and in Switzerland. So is that it? After an infection, will you be an eternal net-zombi? Not if you live in Switzerland. Thanks to its international network SWITCH-CERT receives a daily dose of reports about infected IP-addresses in Switzerland. By far the largest number come from Team Cymru‘s CSIRT Assistance Programm. But there are other sources, such as MELANI or our own sensors.

We receive these reports, because SWICH-CERT is perceived as a national CERT. This means we are contacted by third parties if there is an IT-Security issue in Switzerland, because they know we try to help. In return, of course, we can ask these other people for help, if we have an issue outside Switzerland.

So what do we actually do with this information? Actually not really much in terms of work: We forward them to the owner of the respective network. Technically we report this to the owner of the autonomous system the IP belongs to. In short, an AS is a collection of IP space belonging to one organisation. For example the SWITCH Backbone is AS599.

Currently we have about 370 Swiss networks in our database. So we send these reports to the respective admins and ask them to clean up the mess, and most of them do. This is remarkable and shows that the old spirit of the internet as a community has not vanished yet. These reports mean more work for people, for which they don’t get paid. But id does pay in the end, less infected customers means less calls to the helpdesk, less entries on blacklists etc.

Are we successful? I would answer this question with a definite Yes. When we started about a year ago we were reporting between 5’000 – 6’000 unique IP addresses per week. This is now down to a few hundreds.

Unique infected IPs

Unique infected IP Addresses reported by SWITCH-CERT to Swiss network operators. The latter inform their customers and typically help them remove the infection. This effort has lead to a dramatic decrease in the number of infected systems in Switzerland.

This decrease is not seem on a global scale, so it’s not just an artefact. In fact looking at various reports, such as the Panda Quarterly report, or the last Microsoft Security Intelligence Report, shows that Switzerland is on the right path: We’re among the cleanest palaces in the internet. Thus: A big “Thank You” to all that made this possible.

Comments are closed.