Front Page: Tieto Traficom
Front Page: Tieto Traficom

Malware detected by Traficom

These statistics detail the number and duration of malware infections in computers connected to Finnish information networks. The data is received from the Autoreporter service of the National Cyber Security Centre Finland (NCSC-FI) at Traficom, which collects data on malicious network traffic detected on the internet. The data is published four times a year. The statistics are produced by the Finnish Transport and Communications Agency Traficom.

The NCSC-FI Autoreporter service has been in use since 2006 and it covers all Finnish network areas. The statistical data collected during several years can be used to examine the prevalence of malware in Finnish networks, for example.

When reading the graphs below, it is good to remember that one infected computer may cause several Autoreporter observations on consecutive days if the malware has not been removed from the computer. The data sources have been modified since the launch of Autoreporter. Over time, new and reliable sources have been added, unreliable sources have been removed, or data provided by an old source have been filtered on the basis of feedback from telecommunications operators. Since Autoreporter has been in operation for a rather long time, its observations are statistically sufficient for making the above-mentioned conclusions, for example.

The first graph contains the total number of detected malware and malicious traffic per quarter from 2012 onwards. Some retroactive corrections were made to the statistics in November 2016.

In 2013 and early 2014, the number of observations was exceptionally high as one telecommunications operator had technical difficulties in connecting IP address data involved the observations to internet connections. Consequently, the operator could not inform its customers about their malware infections. Once the operator repaired its system for monitoring IP addresses and contacting its customers, the number of observations decreased rapidly in early 2014.

The observations peaked again in October and November 2016. This was caused by Mirai malware which spread fast in small network devices and smart devices (Internet of Things, or IoT devices) around the world, including Finland. The NCSC-FI started to coordinate the filtering of network traffic, which significantly helped control the spreading of Mirai. However, Mirai was quickly followed by other similar malware. It seems that malware infecting smart devices and using such devices to spread are here to stay. They are still dominating the statistics.
In late 2018, a new form of malware began spreading in QNAP's network-attached storage devices in Finland and abroad. The NCSC-FI was one of the first operators to investigate the malware and gave it the name QSnatch. Once the reason for the infections was discovered, most owners of infected devices were able to remove the malware and protect their devices. However, some were not, and QSnatch has also become a permanent nuisance.

The second figure presents the relative proportions of different types of malware and malicious traffic during the most recent quarter.

March 2020 saw a marked increase in instances of malware scanning the internet for vulnerable and inadequately protected systems. The change has been spurred by the growth in remote work as a result of the coronavirus pandemic, which has, for example, exposed to the internet a large number of Windows remote desktop services previously protected by companies’ internal networks. After the active period in spring, the number of observations in the latter half of 2020 decreased to the same level as in previous year.

Malware that attacks smart devices connected to the internet (IoT), such as security cameras and recording devices, constitutes a substantial share of detected malicious software. Most of the observations still concern Qsnatch and Mirai.

The cyber criminal group Avalanche offers phishing and malware attacks to other criminals as a service. The group uses and spreads several malware families. While our Autoreporter service cannot identify all Avalanche malware among network traffic, it is able to detect communication between contaminated computers and the group’s command-and-control servers. While the group targeted Finland to an exceptional extent during the first three months of 2020, the second quarter of the year saw a return to normal levels. The number of observations increased again in July and August but October was a quieter month.

The Hummer malware has been dominating the statistics since the second half of 2020, and no change is foreseen in the near future. Hummer is a rootkit, which makes it extremely difficult to remove from an infected device. Having infiltrated a device, Hummer gains administrator privileges, shows the user ads and downloads applications that may be malicious or drain the device's battery quickly.