Report an incident
Report an incident

CERT Polska Semiannual Report: January-June 2011
20 October 2011 | CERT Polska | #botnet, #malware

CERT Polska

Our first semiannual report, covering period from January to June 2011 is focused on information from automated systems. We have received almost 4 million automated incident reports and we grouped them in major categories such as spam sources, phishing, malware, bots or DDoS attacks. We discuss our findings in the context of the 2010 annual report, indicating some important changes (some of which we are not able to fully explain). Some noteworthy observations are in the area of malware distribution and phishing in Polish networks, as well as spam sources and bots location. Among other discussions, we try to pinpoint some factors that break the apparently obvious correlation between the last two indicators. You can download the report in English from the following URL:

The graph displays number of reports in major categories

Below are some of the most interesting conclusions of the report. The complete list, along with some observations of the IT security events in the first half of 2011 can be found at the beginning of the document.

    • Despite the increasing number of automated information sources, we received less than half of submissions concerning Poland than we expected.
    • Although hosting providers in Poland are far more affected by phishing than Internet access providers, they are much more effective at reacting to such threats.
    • More than every fifth (21%) domain in Poland involved in a phishing case, belonged to an e-commerce site. Polish networks accounted for about 2% of malicious webpage cases worldwide. This was a percentage-wise increase compared to last year (1.4% for all of last year).
    • Surprisingly, we discovered that a large majority of malicious websites were located on hosts belonging to Internet service provider networks, not hosting providers as was the case last year.
    • We identified 1,033,681 unique incidents of spam originating in Poland. More than half (573,721) originated from the Netia network. We noted only 151,502 incidents of spam from Polish Telecom network. This observation is not surprising – this has been the case since the end of 2009 when Polish Telecom introduced filtering of port 25/TCP.
    • An overwhelming majority of scans hit port 445/TCP. These can be mostly attributed to attempts to exploit a vulnerability connected with an error in the handling of RPC requests – described in Microsoft bulletin number MS08-067.
    • The top 10 list of infected networks in Poland largely reflects the size of the operators with respect to number of users.
    • In the first half of 2011, we observed over 1 million bots in Polish networks. The most common bots reported to us were Torpig and Rustock. Their number was at least three times larger than that of other bots.
    • There was an increase in China’s share in the statistics of countries in which malware URLs are located. In percentage terms, the United States has less malware URLs than last year. However, it is still remains the lead location. Over 50% of malicious websites reported to us were located in the two countries mentioned above.