Navigation and service

Reports on Malware Infections

This webpage contains information on the alerts that CERT-Bund has sent to Germany's network operators regarding malware infections.

Malware and C&C servers

After infecting a system, most malware programs make contact with a command-and-control (C&C) server operated by the corresponding attackers in order to download additional malicious code, receive further instructions, or pass on information (such as usernames and passwords) they have extracted from the infected system. This contact is often established using domain names that have been registered by the perpetrators for this specific purpose.

Sinkholes

A common approach to identifying systems infected with malware is involves redirecting DNS lookup requests to computers referred to as 'sinkholes'. This process involves analysing the malware at hand to determine the domain names with which it is communicating and working with the responsible domain name registries to have related requests redirected to sinkhole servers. These sinkholes proceed to log attempts to access the malicious URLs along with the respective timestamps and source IP addresses. These kinds of sinkholes are operated by many analysts and IT security service providers around the world.

Since such domain names are not used to host legitimate internet services, they are typically not accessed by normal users. An attempt to access to one of these domain names is therefore a strong indication that the source IP address pertains to a system that is infected with corresponding malware.

As a national CERT, CERT-Bund receives log data from various international sinkhole operators on a daily basis. It contains information on attempts to access malicious domain names from IP addresses belonging to German network operators. The national CERTs of other countries receive corresponding data that is relevant to them.

The data supplied by sinkhole operators typically includes a timestamp for each access attempt logged, as well as the source IP address, the malicious URL accessed, and the designation of the corresponding malware program that normally uses the URL to contact a C&C server. The data often also includes the IP addresses of the sinkholes, as well as the source and target port numbers of the connections logged.

Notification of network operators / providers

The data sinkhole operators provide to CERT-Bund is automatically analysed and matched to the network operators responsible based on the source IP addresses of the logged access attempts. The operators are then notified of the malware infections that may be present in their network segments. The information described above regarding the access attempts logged by sinkholes is also passed on to network operators.

If a given network operator is a provider, it is asked to inform its affected customers accordingly. CERT-Bund is not able to identify providers' end customers; only a provider can ascertain which customer was using a specific IP address from its network segment at a particular point in time.

Statistics

Second half of 2019

In the second half of 2019, CERT-Bund processed 17 billion raw data records from sinkholes that were provided by various sources. This data was used to derive information on 3.8 million daily infections pertaining to IP addresses from German network operators (including providers and other companies/organisations). CERT-Bund then notified the operators of these infections.

In this context, a daily infection corresponds to a combination of one IP address and one malware family per day. The number of different individual infections and affected systems is impossible to determine. For one thing, such cases typically involve dynamic IP addresses that are only temporarily associated with a particular customer's connection. As a result, multiple IP addresses are often reported to a provider until the infected system in question has been cleansed. Then there are frequent cases in which a single IP address (of a proxy server or a NAT gateway, for example) pertains to several infected systems at the same time.

The following graphic lists the top 20 malware families that were reported in the second half of 2019.

Top 20 gemeldete Schadprogramm-Familien 2. Halbjahr 2019 Top 20 gemeldete Schadprogramm-Familien im 2. Halbjahr 2019

However, these statistics do not reflect the actual prevalence of malware in Germany because sinkhole data is not available in the same quantities (or at all) for every malware family. Furthermore, widespread malware variants like Emotet and Trickbot are not included in the statistics because they communicate with C&C servers directly via IP addresses rather than by means of domain names that could be redirected to a sinkhole. This makes corresponding malware infections difficult to identify.

As in the first half of 2019, infections stemming from the malware Andromeda were reported most frequently throughout the rest of the year. This variant is a downloader that retrieves and installs further malware such as online banking trojans.

Coming in second and third in the latter half of 2019 were Mirai and QSnatch, which attackers installed on insecurely configured network devices like routers and NAS systems.

Many of the other frequently reported malware variants -- such as GozNym, Nymaim, Tinba, ZeuS, and Gozi -- are also online banking trojans.

Magecart, meanwhile, is a collective term for malware that cyber criminals plant in online shops to steal customer data (such as names, addresses, credit card data, and other payment information) during the ordering process.

Despite being over 10 years old now, the Conficker malware is also still very prevalent in Germany. Almost all the systems infected with this variant run the outdated operating system Windows XP.

First half of 2019

In the first half of 2019, CERT-Bund processed 23 billion raw data records from sinkholes that were provided by various sources. This data was used to derive information on 3.6 million daily infections pertaining to IP addresses from German network operators and providers, which CERT-Bund then notified accordingly.

In this context, a daily infection corresponds to a combination of one IP address and one malware family per day. The number of different individual infections and affected systems is impossible to determine. For one thing, such cases typically involve dynamic IP addresses that are only temporarily associated with a particular customer's connection. As a result, multiple IP addresses are often reported to a provider until the infected system in question has been cleansed. Then there are frequent cases in which a single IP address (of a proxy server or a NAT gateway, for example) pertains to several infected systems at the same time.

The following graphic lists the top 20 malware families that were reported in the first half of 2019.

Top 20 gemeldete Schadprogramm-Familien 1. Halbjahr 2019 Top 20 gemeldete Schadprogramm-Familien im 1. Halbjahr 2019

However, these statistics do not reflect the actual prevalence of malware in Germany because sinkhole data is not available in the same quantities (or at all) for every malware family. Furthermore, widespread malware variants like Emotet and Trickbot are not included in the statistics because they communicate with C&C servers directly via IP addresses rather than by means of domain names that could be redirected to a sinkhole, which means no corresponding sinkhole data is available.

Mirai and VPNFilter, meanwhile, are malware variants for IoT devices. They primarily affect routers and other network devices. All the other malware under consideration relates to infections of Microsoft Windows systems.

Despite being over 10 years old now, the Conficker malware is also still very prevalent in Germany. Almost all the systems infected with this variant run the outdated operating system Windows XP.