Front Page: Traficom
Front Page: Traficom
Go to Search

Malware detected by Traficom

These statistics demonstrate the number and duration of malware infections in computers connected to Finnish information networks. The source of the data is the Autoreporter service of the NCSC-FI at Traficom, which collects data on malicious network traffic detected on the internet. The data is published four times a year.

The Autoreporter service automatically collects data on malware and information security violations detected in Finnish networks and reports them to network administrators. The service has been in use since 2006 and it covers all Finnish network areas. The statistical data collected during several years can be used to examine the prevalence of malware in Finnish networks, for example.

When reading the graphs below, it is good to remember that one infected computer may cause several Autoreporter observations on consecutive days if the malware has not been removed from the computer.

The first graph contains the number of detected malware and malicious traffic per quarter from 2012 onwards. Some retroactive corrections were made to the statistics in November 2016.

In 2013 and early 2014, the number of observations was exceptionally high as one telecommunications operator had technical difficulties in connecting IP address data involved in the observations to internet connections. Consequently, the operator could not inform its customers about their malware infections. Once the operator repaired the monitoring IP addresses and contacted its customers in early 2014, the number of observations decreased rapidly.

The observations peaked again in October and November 2016 compared to the average level of 2015 and 2016. This was caused by Mirai malware, which spread fast in small network devices and smart devices (Internet of Things, or IoT devices) around the world, including Finland. The NCSC-FI started to coordinate filtering of network traffic, which controlled the spreading of Mirai significantly. However, Mirai was quickly followed by other similar malware. It seems that malware infecting smart devices and using such devices to spread are here to stay. They are still dominating the statistics.

In late 2018, a new form of malware began spreading in QNAP's network-attached storage devices in Finland and abroad. The NCSC-FI was one of the first operators to investigate the malware and gave it the name QSnatch. Once the reason for the infections was discovered, most owners of infected devices were able to remove the malware and protect their devices. However, some were not, and QSnatch has also become a permanent nuisance. 

The second figure presents the relative proportions between different types of malware and malicious traffic during the most recent quarter. 

March 2020 saw a marked increase in instances of malware scanning the internet for vulnerable and inadequately protected systems. The shift has been spurred by the growth in remote work as a result of the coronavirus pandemic, which has, for example, exposed to the internet a large number of Windows remote desktop services previously protected by companies’ internal networks. After the active period in spring, the number of observations in the latter half of the year has fallen to the same level as last year.

Malware that attacks smart devices connected to the internet (IoT), such as security cameras and recording devices, constitutes a substantial share of detected malicious software. Most of the observations still concern Qsnatch and Mirai. 

The cyber criminal group Avalanche offers phishing and malware attacks to other criminals as a service. The group uses and spreads several malware families. While our Autoreporter service can't identify all Avalanche malware among network traffic, it is able to detect communication between contaminated computers and the group’s command-and-control servers. While the group targeted Finland to an exceptional extent during the first three months of 2020, the second quarter of the year saw a return to normal levels. The number of observations increased again in July and August but October was a quieter month.

The Hummer malware has been dominating the statistics since the second half of 2020, and no change is foreseen in the near future. Because Hummer is a rootkit, it is extremely difficult to remove from an infected device. Having infiltrated a device, Hummer gains administrator privileges, shows the user ads and downloads applications that may be malicious or drain the device's battery quickly.



The data sources have been modified since the launch of Autoreporter. New and reliable sources have been added, unreliable sources have been removed, or data provided by an old source have been filtered based on feedback from telecommunications operators. Since Autoreporter has been in operation for a rather long time, its observations are statistically sufficient for making above-mentioned conclusions, for example.

Further details: tilastot(a)