On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Sunday     2010-02-07      189,528,839    5,746,563        11,393           224
Saturday   2010-02-06      202,950,933    5,932,684        11,567           224
Friday     2010-02-05      215,797,326    6,303,488        12,344           225
Thursday   2010-02-04      180,032,514    6,401,667        12,372           226
Wednesday  2010-02-03      195,284,537    6,437,549        12,424           226
Tuesday    2010-02-02      224,752,416    6,481,744        12,478           225
Monday     2010-02-01      218,208,857    6,442,754        12,460           225
Sunday     2010-01-31      252,981,154    5,860,443        11,509           225
Saturday   2010-01-30      173,448,101    5,979,885        11,531           224
Friday     2010-01-29      210,415,317    6,370,528        12,240           224
Thursday   2010-01-28      187,947,791    6,432,046        12,312           225
Wednesday  2010-01-27      209,602,792    6,432,341        12,316           225
Tuesday    2010-01-26      170,424,512    6,360,726        12,294           225
Monday     2010-01-25      232,763,003    6,428,136        12,301           226
Sunday     2010-01-24      216,104,158    5,850,591        11,369           226
Saturday   2010-01-23      194,122,118    5,995,442        11,478           224
Friday     2010-01-22      107,163,848    5,649,227        12,112           224
Thursday   2010-01-21      202,242,310    6,457,756        12,318           225
Wednesday  2010-01-20      185,553,880    6,427,100        12,330           224
Tuesday    2010-01-19      139,240,612    6,106,586        12,237           224
Monday     2010-01-18      207,554,395    6,353,620        12,193           225
Sunday     2010-01-17      183,971,014    5,774,985        11,351           224
Saturday   2010-01-16      160,725,234    5,907,815        11,442           222
Friday     2010-01-15      120,299,420    6,112,745        12,103           225
Thursday   2010-01-14      143,893,472    6,216,641        12,238           225
Wednesday  2010-01-13      176,486,241    6,307,930        12,243           223
Tuesday    2010-01-12      156,073,856    6,307,301        12,226           225
Monday     2010-01-11      194,895,442    6,349,917        12,206           224
Sunday     2010-01-10      149,478,770    5,731,874        11,244           224
Saturday   2010-01-09      137,304,360    5,195,683        11,126           223

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Sunday     2010-02-07        4,487,475      180,609         6,385           183
Saturday   2010-02-06        5,317,899      200,432         6,542           184
Friday     2010-02-05        6,672,786      241,916         7,179           188
Thursday   2010-02-04        7,834,908      251,654         7,307           190
Wednesday  2010-02-03        7,576,118      252,847         7,292           190
Tuesday    2010-02-02        7,777,638      255,320         7,338           188
Monday     2010-02-01        7,580,065      254,156         7,308           189
Sunday     2010-01-31        5,689,892      190,820         6,456           184
Saturday   2010-01-30        6,579,423      209,365         6,586           184
Friday     2010-01-29        8,709,350      255,019         7,226           189
Thursday   2010-01-28        9,115,563      262,003         7,365           190
Wednesday  2010-01-27        9,503,087      264,461         7,394           188
Tuesday    2010-01-26        9,040,892      263,040         7,401           191
Monday     2010-01-25        9,560,839      266,811         7,384           192
Sunday     2010-01-24        5,455,935      195,064         6,509           187
Saturday   2010-01-23        6,404,381      215,871         6,642           187
Friday     2010-01-22        9,083,240      264,497         7,332           192
Thursday   2010-01-21        9,093,034      270,908         7,426           191
Wednesday  2010-01-20        9,278,173      272,697         7,446           192
Tuesday    2010-01-19        9,427,316      275,175         7,420           190
Monday     2010-01-18        9,787,625      275,267         7,416           188
Sunday     2010-01-17        6,113,784      202,995         6,560           186
Saturday   2010-01-16        7,023,842      222,711         6,742           187
Friday     2010-01-15        7,656,289      267,452         7,337           194
Thursday   2010-01-14       10,190,356      275,366         7,409           191
Wednesday  2010-01-13       10,058,717      279,221         7,430           192
Tuesday    2010-01-12        9,712,084      282,194         7,460           192
Monday     2010-01-11       10,007,071      282,641         7,451           193
Sunday     2010-01-10        5,627,839      207,203         6,572           186
Saturday   2010-01-09        5,406,225      224,001         6,637           188

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Sunday     2010-02-07      194,016,314    5,888,451        11,871           224
Saturday   2010-02-06      208,268,832    6,086,334        12,033           224
Friday     2010-02-05      222,470,112    6,478,685        12,804           225
Thursday   2010-02-04      187,867,422    6,583,118        12,869           227
Wednesday  2010-02-03      202,860,655    6,619,983        12,897           226
Tuesday    2010-02-02      232,530,054    6,665,584        12,941           226
Monday     2010-02-01      225,788,922    6,626,014        12,941           225
Sunday     2010-01-31      258,671,046    6,010,018        11,990           225
Saturday   2010-01-30      180,027,524    6,139,780        12,025           224
Friday     2010-01-29      219,124,667    6,554,637        12,745           224
Thursday   2010-01-28      197,063,354    6,620,913        12,822           225
Wednesday  2010-01-27      219,105,879    6,622,034        12,826           225
Tuesday    2010-01-26      179,465,404    6,550,094        12,814           225
Monday     2010-01-25      242,323,842    6,619,711        12,823           226
Sunday     2010-01-24      221,560,093    6,002,433        11,881           226
Saturday   2010-01-23      200,526,499    6,159,950        11,991           224
Friday     2010-01-22      116,247,088    5,843,020        12,642           224
Thursday   2010-01-21      211,335,344    6,651,769        12,826           225
Wednesday  2010-01-20      197,698,102    6,626,952        12,843           224
Tuesday    2010-01-19      148,778,048    6,305,709        12,770           224
Monday     2010-01-18      217,342,020    6,550,972        12,715           225
Sunday     2010-01-17      190,084,798    5,933,311        11,878           224
Saturday   2010-01-16      167,749,076    6,077,089        11,968           223
Friday     2010-01-15      127,955,709    6,305,727        12,638           225
Thursday   2010-01-14      154,083,828    6,414,723        12,745           225
Wednesday  2010-01-13      186,544,958    6,508,478        12,762           224
Tuesday    2010-01-12      165,785,940    6,510,048        12,745           225
Monday     2010-01-11      204,902,513    6,552,360        12,738           224
Sunday     2010-01-10      155,106,609    5,893,535        11,749           224
Saturday   2010-01-09      147,410,734    5,437,814        11,660           224

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year