Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Is Australia a hot-bed of zombie activity

Is Australia a hot-bed of zombie activity

  • Comments 5

A couple of weeks ago, I posted that Australia was getting ISPs to boot infected computers off of their network.  I commented on whether or not this was a good policy.  However, there was one thing in that article that I wanted to comment on but didn’t, it was this excerpt:

A global report by security technology giant McAfee reveals that Australia now ranks behind only the US and China for the number of "zombie" computers that fell under the control of spammers in 2009. "The `Land Down Under' is proving to be fertile ground for zombie recruiting," the report says.

It estimates Australia accounts for 6.3 per cent of the world's "new zombies", compared with 18 per cent from the US and 13.3 per cent from China. Just two years ago, Australia was not even in the top 10 countries listed in McAfee's Global Threats report.

Australia is now number 3?  Behind only the US and China?  That sounds a little hard to believe.  I say this because it completely contradicts any of the data I have.

Now, I will admit that I only have data on how much spam we receive from each country, and from how many distinct IPs.  If I go by the second half of 2009, Australia ranks 24th for distinct number of IPs that sent us spam and 26th for total amount of spam sent.  It lags far behind other countries like South Korea, Brazil, India, Poland, Spain, Romania, Ukraine, and so forth.

Now it’s possible that McAfee’s report measure total zombie activity.  Zombies do more than send spam – they host spammy web pages, do fast flux, perform black search engine optimization, conduct DOS attacks, and so forth.  And obviously, I have gaps in my own data because I don’t measure that.  Yet if I go by data in Microsoft’s latest Security and Intelligence Report (covers first half of 2009), Australia ranks far down the list of countries in terms of number of infected computers with malware, drive-by downloads, and so forth.  It confirms my data that Australia is not one of the biggest players when it comes to spam.

This leads me to a couple of possibilities:

  1. McAfee has other metrics that we are not collecting that indicates that Australia has lots of zombies and bumps it up the list.

  2. One of us is wrong.

No offense to McAfee, but I’m guessing (emphasis on the word guessing) that it’s (2), and it’s not us that is wrong.  It stretches the credibility to assert that Australia is a smaller player in spam and malware infections but is really abusive in everything else.  More often than not, if a country is abusive in one category, they are usually abusive in other categories.  While it is true they may not be stack-ranked the same in every category of abuse, they usually are pretty close.

Leave a Comment
  • Please add 6 and 6 and type the answer here:
  • Post
  • McAfee, like Symantec, often release the results of so-called "surveys" (probably when sales are slow... and they get free publicity.

  • Australia never makes it into the top 10 botnet countries I compile every day, either.  But they have had some botnet detection mechanism (Australian Internet Security Initiative, http://www.acma.gov.au/WEB/STANDARD/1001/pc=PC_310317) in place since 2005.  Maybe they do have a lot of zombies, which are detected and cleaned up shortly after sending few spam.  That might explain why few spams from Australia end up in my hand.

  • Aren't you comparing apples and oranges? You're measuring the number of zombies (by proxy) and McAfee is measuring the number of *new* zombies.

    If, as you said, Australian ISPs are doing a good job of remediation, I'd absolutely expect to see the difference in stats that you highlight.

    Surely you're both right? Or, at least, one of you isn't necessarily wrong.

  • It's possible, Richi.  Perhaps Australia does have the 3rd most *new* zombies appearing every day. However, I still say that while this is possible, it is less probable that this is the case.

  • Does this McAfee report exist or is it just a fabricated news story? I have not been able to find this report by McAfee, just news stories about it.

Page 1 of 1 (5 items)