AISI malware statistics

Each day the ACMA reports observations of 'malicious software' (malware) to AISI members. The ACMA also provides daily reports of 'open services', 'vulnerable services', and 'other' cyber security observations to these members. Statistics related to these cyber security categories can be found at these links:

AISI Open Services statistics AISI Vulnerable Services statistics Other AISI cyber security observations

For the latest AISI and malware alerts, subscribe to the ACMA's Cybersecurity ebulletin.

The AISI data is updated daily, identifies the date the malware was observed and is based on Coordinated Universal Time (UTC).

To observe the trends in reports for an individual type or comparison between similar types, simply ‘de-select’ one or on all types that you do not wish to compare to. Each dataset can also be downloaded as a .csv file - Daily (malware observations or Observations by malware family).

Help in interpreting the AISI data

Often there are multiple observations for an individual IP address in this data, including multiple observations under different categories. This multiple IP address data has been largely removed from the data in the charts.

On any given day, the ‘AISI Daily Malware Observations’ chart only contains single instances of an IP address, while the ‘AISI Daily Observations per Malware Family’ chart contains only single instances of an IP address per malware ‘family’. If there are observations of incidents related to multiple families, however, that IP address will be represented once for each family in this data. A consequence of this approach is that the daily total of all observations for the ‘AISI Daily Malware Observations’ chart will be greater than or equal to the daily total recorded for the ‘AISI Daily Observations per Malware Family’ chart.

If there are observations relating to multiple categories on a given day for a given IP address, that IP address will be represented once in each category i.e. if an IP address has been observed as having malware as well as a vulnerable service, this address will be reported in multiple report categories. 

Some related observations about IP address information are that:

  • a service utilizing a ‘dynamic’ IP address (such as a home router) may be represented more than once in the data over a 24-hour period if that 'dynamic' IP has changed during that period.
  • the number of computing devices associated with a given IP address can vary widely, from only one for some residential services to thousands of devices on corporate networks.

A note about data variability

Caution should be applied when interpreting the charts, as their data contains a set of constantly changing variables. In particular, the absence of data for a given day or week does not necessarily indicate a given compromise threat has diminished, as other factors may have led to data becoming unavailable. Some of the key variable factors are changing data sources and the emergence of new compromise types.

Brief description of malware and cyber security types

The following descriptions provide brief information associated with the most commonly observed malware types, including those identified in the charts. Most malware types will be capable of performing a variety of malicious activities and have multiple variants.

Type  Description
Malware: Conficker

Among other things, Conficker can disable important services on a computer, leaving it vulnerable to other malware. Internet users with Conficker infections are very likely to have other malware infections of a more serious nature.

Malware: Generic Bot

Data recorded as ‘generic bot’ is where the ACMA has reliable malware indicators, but at the time of the reporting was unable to attribute the malware to a specific malware family.

Malware: Marcher

This type identifies Android devices that have been compromised by Marcher malware applications. These applications can steal banking and other financial credentials by substituting genuine authentication fields within banking apps on the Android device with its own fake fields. These credentials are then recorded and sent to malicious actors. Marcher malware is generally installed through software obtained from untrusted sources, and not from trusted sources such as Google Play.

Malware: Mirai

Mirai is a Trojan that targets 'Internet of Things' devices - such as routers, webcams, printers and digital video recorders - that are 'open' to the internet and use weak or default passwords. Once a device is infected it can be used for many tasks, including co-opting devices into very large Distributed Denial of Service (DDoS) attacks.

Malware: njRAT

Apart from enabling control of an infected device, njRAT can log keystrokes, download and execute files, provide remote desktop access, steal application credentials and access the infected device’s camera and microphone. One njRAT variant can also detect whether a removable storage device such as a USB drive is connected to a computing device. If so, it will attempt to copy itself to the device in the hope of spreading to more devices.

Malware: Other

Other malware types not included in the charts.

Malware: Ramnit

Ramnit is known to evade firewalls and other detection mechanisms by injecting itself into running processes, such as svchost.exe and iexplore.exe. It may modify the registry to ensure that it starts on boot. It uses a custom protocol on TCP port 443 for C&C.

Malware: Rovnix

Rovnix is predominantly a banking malware that can be used to steal other credentials and allow remote ‘backdoor’ access to your computer. It may be difficult to detect due to its stealth capabilities.

Malware: Sphinx

Sphinx is another Zeus-based banking Trojan variant that enables the attacker to modify internet banking and payment services.

Malware: Zero Access

ZeroAccess is designed for the primary purposes of 'click fraud' and 'Bitcoin mining'. It utilises a rootkit, is often installed by web browser exploits and may have been downloaded by other malware already residing on the computer.

Malware: Zeus

Zeus is a banking trojan that enables the attacker to modify internet banking transactions.

The most appropriate actions to remove the malware and restore the computing device to correct operation will depend on the type and variant, as well as the operating system version and software utilised by the infected internet user. For further information on how to protect yourself online, we recommend that you visit Stay Smart Online.

We welcome any feedback on these charts. If you have any comments please send an email to

Back to top