On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2009-11-05      380,127,983    6,419,618        12,423           229
Wednesday  2009-11-04      420,601,826    6,427,233        12,316           229
Tuesday    2009-11-03      408,164,394    6,431,886        12,399           228
Monday     2009-11-02      382,703,750    6,282,341        12,305           228
Sunday     2009-11-01      361,716,807    5,809,264        11,399           227
Saturday   2009-10-31      360,828,948    6,261,266        11,523           228
Friday     2009-10-30      419,525,551    6,671,039        12,239           227
Thursday   2009-10-29      423,368,007    6,732,795        12,331           228
Wednesday  2009-10-28      360,183,546    6,548,195        12,339           227
Tuesday    2009-10-27      361,145,927    6,621,596        12,371           228
Monday     2009-10-26      347,322,152    6,463,128        12,310           227
Sunday     2009-10-25      365,396,474    6,130,691        11,345           227
Saturday   2009-10-24      393,345,782    6,128,693        11,417           224
Friday     2009-10-23      401,785,110    6,607,745        12,191           226
Thursday   2009-10-22      421,436,707    6,500,770        12,267           227
Wednesday  2009-10-21      411,112,408    6,477,491        12,279           227
Tuesday    2009-10-20      389,587,072    6,482,021        12,244           226
Monday     2009-10-19      400,646,985    6,540,508        12,227           227
Sunday     2009-10-18      298,380,545    5,831,281        11,211           226
Saturday   2009-10-17      348,892,642    5,980,525        11,332           225
Friday     2009-10-16      372,833,316    6,393,131        12,071           224
Thursday   2009-10-15      383,587,225    6,387,285        12,213           226
Wednesday  2009-10-14      389,426,993    6,411,271        12,191           227
Tuesday    2009-10-13      261,996,910    6,449,537        12,183           227
Monday     2009-10-12      322,252,724    6,158,342        12,012           226
Sunday     2009-10-11      354,427,848    5,881,975        11,198           224
Saturday   2009-10-10      322,197,253    6,122,321        11,294           225
Friday     2009-10-09      372,851,455    6,383,826        12,052           224
Thursday   2009-10-08      174,685,099    5,788,958        12,079           225
Wednesday  2009-10-07      215,621,214    5,568,765        12,030           225

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2009-11-05       14,218,182      379,449         7,877           196
Wednesday  2009-11-04       14,757,697      378,640         7,720           197
Tuesday    2009-11-03       14,457,586      384,368         7,901           196
Monday     2009-11-02       13,001,979      363,699         7,827           196
Sunday     2009-11-01        8,580,729      283,239         6,963           190
Saturday   2009-10-31        9,915,206      313,873         7,118           192
Friday     2009-10-30       14,481,490      378,137         7,823           194
Thursday   2009-10-29       14,812,800      388,100         7,907           195
Wednesday  2009-10-28       14,711,681      391,906         7,944           199
Tuesday    2009-10-27       14,798,322      396,099         7,991           198
Monday     2009-10-26       14,810,577      396,742         7,963           196
Sunday     2009-10-25        9,849,590      299,238         7,039           194
Saturday   2009-10-24       11,019,469      326,438         7,197           197
Friday     2009-10-23       14,369,491      388,142         7,857           197
Thursday   2009-10-22       15,180,876      402,654         7,990           200
Wednesday  2009-10-21       14,892,433      407,147         7,991           197
Tuesday    2009-10-20       16,014,738      410,364         7,982           198
Monday     2009-10-19       15,812,879      405,982         8,010           198
Sunday     2009-10-18       10,285,484      309,554         7,112           191
Saturday   2009-10-17       11,645,633      334,157         7,227           194
Friday     2009-10-16       14,993,390      405,508         7,785           193
Thursday   2009-10-15       15,170,258      414,700         8,053           195
Wednesday  2009-10-14       16,153,511      419,248         8,069           195
Tuesday    2009-10-13       15,571,720      418,835         8,087           193
Monday     2009-10-12       12,766,789      395,395         7,935           193
Sunday     2009-10-11        8,774,226      311,895         7,153           192
Saturday   2009-10-10        9,945,475      350,037         7,254           199
Friday     2009-10-09       12,764,971      413,591         7,975           198
Thursday   2009-10-08       11,190,400      407,617         8,068           196
Wednesday  2009-10-07       10,660,281      391,474         7,988           198

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2009-11-05      394,346,165    6,688,089        12,854           229
Wednesday  2009-11-04      435,359,523    6,696,109        12,765           229
Tuesday    2009-11-03      422,621,980    6,703,854        12,823           228
Monday     2009-11-02      395,705,729    6,542,784        12,756           228
Sunday     2009-11-01      370,297,536    6,027,616        11,843           227
Saturday   2009-10-31      370,744,154    6,495,561        11,963           228
Friday     2009-10-30      434,007,041    6,938,477        12,663           227
Thursday   2009-10-29      438,180,807    7,006,349        12,763           228
Wednesday  2009-10-28      387,293,057    7,005,113        12,791           227
Tuesday    2009-10-27      375,944,249    6,901,298        12,825           228
Monday     2009-10-26      373,529,755    6,925,029        12,758           227
Sunday     2009-10-25      375,246,064    6,359,988        11,792           227
Saturday   2009-10-24      404,365,251    6,373,189        11,862           224
Friday     2009-10-23      416,154,601    6,883,271        12,650           226
Thursday   2009-10-22      436,617,583    6,786,029        12,719           227
Wednesday  2009-10-21      426,004,841    6,765,526        12,737           227
Tuesday    2009-10-20      405,601,810    6,772,580        12,723           226
Monday     2009-10-19      420,062,420    6,829,283        12,707           227
Sunday     2009-10-18      339,968,650    6,303,642        11,729           226
Saturday   2009-10-17      360,538,275    6,232,222        11,819           225
Friday     2009-10-16      387,826,706    6,682,202        12,526           224
Thursday   2009-10-15      398,757,483    6,681,314        12,679           226
Wednesday  2009-10-14      405,580,504    6,708,256        12,677           227
Tuesday    2009-10-13      298,489,509    6,783,102        12,668           227
Monday     2009-10-12      344,923,884    6,615,422        12,512           226
Sunday     2009-10-11      362,586,669    6,120,157        11,690           224
Saturday   2009-10-10      332,142,728    6,378,994        11,782           225
Friday     2009-10-09      385,616,426    6,677,031        12,549           224
Thursday   2009-10-08      185,875,499    6,086,397        12,573           225
Wednesday  2009-10-07      213,470,724    5,840,478        12,513           225

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year