Malware infections on IPv6 – already nearly 1% in the US!

Our entire Virus Tracker system here at Kleissner & Associates is IPv6 compatible: All of our domains have AAAA records, all our servers have IPv6 addresses and the database and Virus Tracker system handle IPv6 addresses properly. We are the first security company having IPv6 enabled on all sinkhole domains.

Due to the abstraction of the domain name system it does not matter in general for the malicious software whether the command & control server is being reached via IPv4 or IPv6 (as long as the software uses high-level HTTP functions and not raw sockets). In general (HTTP, ICMP) we have observed that Windows uses by default IPv6 – if available. Internet Explorer always tries first to use IPv6 for the HTTP connection and falls back to IPv4 with the very same request if the IPv6 connection fails.

Because we have enabled IPv6 everywhere on our servers and Windows uses IPv6 by default we have some kind of overview of how IPv6 ready the (infected side) of the internet is. Below are some statistics out of our data, turning nothing into something!

Statistics in the US

On 6/5/2014 we have a total of 120.992 unique infection records for the US. 1.079 records are connections via IPv6 – that is 0.89%. These numbers include, however, potential false positive infection records such as generated by analysis systems and crawlers. The malware related to the IPv6 connections:

IPv6 US

The ASNs where we see the IPv6 infections from:

AS10297 eNET Inc.
AS10507 Sprint Personal Communications Systems
AS10796 Road Runner HoldCo LLC
AS11351 Road Runner HoldCo LLC
AS11426 Road Runner HoldCo LLC
AS11427 Road Runner HoldCo LLC
AS11650 Pioneer Long Distance Inc.
AS12083 KNOLOGY, Inc.
AS12271 Road Runner HoldCo LLC
AS16417 Cisco Systems Ironport Division
AS16591 Google Fiber Inc.
AS16880 Global IDC and Backbone of Trend Micro Inc.
AS18777 Texas State University - San Marcos
AS18779 EGIHosting
AS18978 Enzu Inc
AS19108 Suddenlink Communications
AS19262 Verizon Online LLC
AS20001 Road Runner HoldCo LLC
AS20115 Charter Communications
AS21547 Oxford Networks
AS22394 Cellco Partnership DBA Verizon Wireless
AS22773 Cox Communications Inc.
AS237 Merit Network Inc.
AS26347 New Dream Network, LLC
AS29761 Web Africa Proxy aut-num object
AS29859 WideOpenWest Finance LLC
AS3 Massachusetts Institute of Technology
AS30036 Mediacom Communications Corp
AS30264 Columbia Power and Water Systems
AS33363 BRIGHT HOUSE NETWORKS, LLC
AS33387 DataShack, LC
AS40336 Jacobi International Inc.
AS46475 Limestone Networks, Inc.
AS54540 Incero LLC
AS6112 Auburn University
AS6128 Cablevision Systems Corp.
AS6621 Hughes Network Systems
AS6939 Hurricane Electric, Inc.
AS7018 AT&T Services, Inc.
AS7922 Comcast Cable Communications, Inc.
AS8001 Net Access Corporation
AS8047 GENERAL COMMUNICATION, INC.

The observed operating systems and how many times they occurred:

1     Mac OS X 10.6 (this one belongs to a machine in the Cisco ASN)
1     Mac OS X 10.7.1
2     Windows 2000
198   Windows XP
149   Windows Vista
221   Windows 7
1     Windows 8

Statistics in Germany

For Germany we have on the same day a total of 19.654 infection records. Out of them are 53 connections via IPv6 – that is only 0.27%. Again the originating ASNs:

AS13184 Telefonica Germany GmbH & Co.OHG
AS20825 Unitymedia NRW GmbH
AS24940 Hetzner Online AG
AS31334 Kabel Deutschland Vertrieb und Service GmbH
AS3320 Deutsche Telekom AG
AS34127 Flughafen Muenchen GmbH
AS51167 Contabo GmbH
AS8767 M-net Telekommunikations GmbH, Germany
AS8881 Versatel Deutschland GmbH