Statistics from the Autoreporter service as open data

Autoreporter statistical data

Provided by the NCSC-FI at FICORA, Autoreporter is a service that automatically collects malware and information security incident observations concerning Finnish networks. The observations are submitted for remedies to the parties responsible for the information security of Finnish networks. Autoreporter monitors over 200 AS numbers.

The statistical data produced by the Autoreporter service is published as open data on this page. The following data on the observations have been published: time window (UTC time zone), AS number, IP address, and a more detailed classification of the observation.
The time window consists of full days and one IP address is shown in the time frame only once per observation type. Due to the dynamism of IP addresses, it is possible that a single IP address is used by several users during the time window.

AS numbers and IP addresses have been anonymised by means of a hash function. IP addresses have been anonymised in order to protect the identity of a single user, whereas AS numbers have been anonymised on the request of network administrators. However, the geographic position of IP addresses has been ascertained at the city level before the anonymisation of IP addresses.

Observation types

The main categories of the observation types are:

  • bot: A workstation infected by malware is usually connected to a net managed by the attacker. The workstation becomes bot client software that can be commanded via the existing botnet.
  • bruteforce: An IP address from which attempts to infiltrate commonly used network services have originated. Random character strings or words found in dictionaries have been used to systematically crack the passwords of network services. A workstation at that IP address may have been the subject of a data break-in or it may be infected by malware.
  • cc: A workstation infected by malware is usually connected – in one way or another – to a botnet managed by the attacker. An administration server that is used to command such botnets has been identified at the IP address.
  • dameware: Old versions of DameWare Mini Remote Control software include a vulnerability that can be remotely utilised. The vulnerability allows installation of malware on a workstation. Possible successful utilisation of this DameWare vulnerability has been detected at the IP address.
  • ddos: This category lists both workstations participating in DoS attacks and targets subjected to DoS attacks.
    defacement: The IP address points to a defaced website.
  • dipnet: Dipnet is a worm infecting Windows-based workstations using the LSASS vulnerability.
  • fastflux: Fastflux is a way, implemented at the name server level, to hide the administration servers of a botnet, websites participating in phishing, and websites used to spread malware. The name server continuously returns new IP addresses to a specific domain name. The returned IP addresses are usually those of infected workstations that are part of a botnet.
  • malware: The IP address has been used to distribute malware.
  • malweb: A malicious website has been detected at the IP address. This category usually consists of IP addresses with harmful JavaScript, iFrame references, or other malicious components to the website.
  • phishing: A website participating in phishing has been detected at the IP address. It is usually a workstation or web server that has been the subject of a data break-in.
  • proxy: A workstation or server has been turned into an open proxy server that is being utilised. The utilisation can take many forms. It can be used for sending spam or commanding botnets, for instance.
  • router: An active device on the network has been turned into a proxy server that is being utilised. The utilisation can take many forms.
  • scan: Inconsiderate network research has been conducted from an IP address. Alternatively, it is a matter of a system that has fallen into the wrong hands or that includes a workstation infected by malware.
  • spreaders: Malware use a variety of spreading mechanisms, one of which is the vulnerabilities of operating systems. Signs indicating that the IP address is being used to spread malware have been observed.
  • suspected spambot: The IP address has been used in an attempt to send spam. There is reason to suspect that the workstation has been infected by malware and it is being used to send spam.
  • worm: The IP address has been used in an attempt to spread a worm. Network worms usually use a vulnerability of the network service to spread.

The main categories of the observations are specified with subcategories. The subcategories can include e.g. the names of malware and the port numbers exposed to a network scanning or a break-in attempt.

See also


We gladly receive your feedback and development suggestions via the
NCSC-FI's Facebook page, Twitter, or the electronic contact form.

Key words: Information security , Malware , NCSC-FI , Statistics

LinkedIn Print