Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
These statistics originate from the DroneDB, a database containing infected systems in Switzerland that have been active the last 10 days. This database is fed by different sources, mostly DNS sinkholes operated by different organizations, where infected clients connect to instead of the real C&C servers. This data is aggregated and filtered for all Swiss IP space known to NCSC/GovCERT. The different malware families are sometimes hard to distinguish as there does not exist any international naming schema. It is important to note that these numbers just show the tip of the iceberg, as our database only contains data from sinkholed Command and Control servers.
NCSC/GovCERT provides the list of infected system per AS (Autonomous System) to different ISPs. Any operator of a network owning its own AS may get this list in order to inform the affected customers within his own network boundary. The goal must be to reduce the number of infected systems, as well as the duration of an infection. GovCERT provides timely information about infections and the ISPs need to inform their customers. For doing so they need to have adequate abuse- and helpdesk resources. This information must be done by the respective ISPs as GovCERT has no information about who uses which IP at a given time.
Back to top
