Our Annual Report for 2011 contains descriptive analysis of data about threats in Polish computer networks. The analysis is based mostly on 21 210 508 reports from automated sources, and, to a smaller extent 605 incidents registered from individuals’ reports. All data is categorised similarly to our past reports: Annual Report for 2010 (in Polish) and Semi-annual Report for 1H2011. Two categories, previously included in „other” were counted individually for the first time, due to large numbers of reports – namely brute force attacks and open recursive DNS servers. The chart below shows the data split into categories (note the logarythmic scale!). A dedicated section of the report presents in-depth analysis of the most interesting phenomena that CERT Polska had analyzed in 2011, including new variants of SpyEye and Zeus as well as leveraging of typosquatting for tricking web users into paying for premium SMS services. The document includes the report from ARAKIS (www.arakis.pl) – an early warning system developed by CERT Polska, implemented, among other places, as a part of government IT resources protection systems for CERT.GOV.PL. The report presents statistics of alarms generated by ARAKIS and discusses the most interesting observations made with the system. Key observations from the annual report include: In 2011 we recorded as many as 5.5 m bots (almost 10 m reports) with Polish operators. The highest number, almost 2.5 m, were located in networks belonging to Polish Telecom (TP). Similarly to 2010, Conficker was the most frequent bot in Polish networks. We received as many as 2.1 m automated reports about this bot type. Websites offering free aliases are increasingly more used by fraudsters – they accounted for 84% of phishing sites in .pl and 25% sites in .pl that malware analyzed in sandboxes had attempted to connect to. An overwhelming majority of scans hit port 445/TCP, related to vulnerabilities in handling of RPC requests. However, the number of IP addresses scanning this port decreased in relation to 2010 by ca. 29%. Most IRC-type C&C servers in Poland were located within hosting services offered by large international entities (eg. LEASEWEB, OVH) with data centers located in Poland. The number of DDoS attacks reported to us is relatively low. This does not mean such attacks do not occur – it is rather caused by unwillingness to report, also, such activity is often difficult to detect by a third party (therefore a low number of automated reports). Polish Internet operators are unwilling to block port 25 TCP for end users, although such a measure was proved to be effective by Telekomunikacja Polska (Polish Telecom). In Poland, there are over 160 thousand incorrectly configured DNS servers which can be used in DDoS attacks. The issue applies basically to all operators.