Sources

The Avira OASYS (Outbreak Alert SYStem) collects malware from various sources. For this reason, we use several kinds of Honeypot technologies.

Email trap: We have various email addresses seeded over the internet. This was done on several websites under different top-level domains, which means websites in different languages. Therefore, the seeded email addresses are deployed over the whole internet. In fact, these accounts have never been used for common email exchange, so regular messages should not get there. As the bad guys, but also traditional email worms scan the internet for email addresses, we receive worms, seeded Backdoors and Trojans, but also Spam and Phishing.

Network trap: On several IPs in several subnets within different ISPs and countries, we use Honeypots simulating OS vulnerabilities in order to capture network worms. We employ different Honeypot technologies to cover a wide range of vulnerabilities or even provide network shares with write access.

Representativeness

The statistics do not contain virus uploads or viruses that reach our official domain. This would simply not give the correct picture of what is ITW (In The Wild), as various worms avoid those addresses, while others hammer the official domain in order to climb through the statistics.
Moreover, we do not count the source more than once, even when trapping multiple samples.

The system is designed to avoid any public knowledge, as we consider that only such a system can reflect the real ITW (In The Wild) situation.

Usage

Avira uses this data to monitor the current threat situation, create a monthly top list, but also real-time statistics for each particular threat. You can view statistics for every threat that has a corresponding virus description. Furthermore, you can see graphs about the numbers in the statistics section.