On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2012-02-02      664,233,366    2,972,795        14,243           225
Wednesday  2012-02-01      666,978,636    2,973,446        14,272           225
Tuesday    2012-01-31      662,193,119    3,054,261        14,343           226
Monday     2012-01-30      669,199,057    2,899,261        14,237           224
Sunday     2012-01-29      668,432,427    2,509,419        13,344           224
Saturday   2012-01-28      667,503,352    2,564,339        13,453           225
Friday     2012-01-27      669,068,656    2,683,652        14,145           226
Thursday   2012-01-26      660,077,029    2,721,364        14,249           225
Wednesday  2012-01-25      671,915,219    2,701,825        14,212           226
Tuesday    2012-01-24      662,146,567    2,720,490        14,274           226
Monday     2012-01-23      663,608,417    2,621,975        14,180           224
Sunday     2012-01-22      660,931,556    2,326,181        13,173           226
Saturday   2012-01-21      667,061,118    2,556,557        13,392           224
Friday     2012-01-20      669,144,681    2,819,610        14,220           224
Thursday   2012-01-19      661,692,217    2,967,538        14,342           226
Wednesday  2012-01-18      667,981,658    2,970,801        14,298           227
Tuesday    2012-01-17      662,387,518    3,072,318        14,310           226
Monday     2012-01-16      664,585,282    2,992,875        14,211           225
Sunday     2012-01-15      386,592,831    1,967,203        12,837           222
Friday     2012-01-13      671,136,591    3,005,979        14,251           226
Thursday   2012-01-12      666,849,432    3,007,018        14,253           225
Wednesday  2012-01-11      619,207,219    3,086,475        14,276           224
Tuesday    2012-01-10      658,217,938    3,046,333        14,288           224
Monday     2012-01-09      666,815,656    3,014,000        13,997           224
Sunday     2012-01-08      671,953,649    2,567,187        13,178           223
Saturday   2012-01-07      668,963,717    2,724,791        13,267           224
Friday     2012-01-06      673,149,469    2,975,527        13,788           225
Thursday   2012-01-05      665,624,182    2,954,361        13,904           225
Wednesday  2012-01-04      664,904,961    3,047,195        13,927           225
Tuesday    2012-01-03      623,012,791    2,703,557        13,697           225

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2012-02-02          616,975       32,927         3,652           155
Wednesday  2012-02-01          591,170       32,923         3,617           154
Tuesday    2012-01-31          518,380       32,694         3,636           148
Monday     2012-01-30          479,857       31,848         3,606           149
Sunday     2012-01-29          662,070       23,034         3,085           146
Saturday   2012-01-28          335,113       25,007         3,242           150
Friday     2012-01-27          395,389       29,113         3,520           151
Thursday   2012-01-26          440,682       29,897         3,607           153
Wednesday  2012-01-25          448,132       29,509         3,529           152
Tuesday    2012-01-24          422,955       29,383         3,576           151
Monday     2012-01-23          349,674       28,276         3,516           152
Sunday     2012-01-22          577,150       22,461         3,028           147
Saturday   2012-01-21          378,419       24,973         3,201           151
Friday     2012-01-20          403,218       30,319         3,547           153
Thursday   2012-01-19          399,621       31,852         3,641           151
Wednesday  2012-01-18          623,587       31,562         3,607           153
Tuesday    2012-01-17          349,748       31,742         3,583           152
Monday     2012-01-16          358,807       31,695         3,582           154
Sunday     2012-01-15          172,809       16,216         2,514           141
Friday     2012-01-13          407,833       31,011         3,580           155
Thursday   2012-01-12          388,769       31,860         3,616           152
Wednesday  2012-01-11          486,717       32,883         3,672           154
Tuesday    2012-01-10          438,633       32,173         3,658           154
Monday     2012-01-09          431,161       31,253         3,466           151
Sunday     2012-01-08          277,189       22,771         3,027           147
Saturday   2012-01-07          335,606       24,503         3,083           150
Friday     2012-01-06          304,589       28,531         3,325           148
Thursday   2012-01-05          334,048       30,401         3,416           148
Wednesday  2012-01-04          366,481       30,384         3,428           152
Tuesday    2012-01-03          389,343       27,142         3,265           150

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2012-02-02      664,850,341    2,997,133        14,409           225
Wednesday  2012-02-01      667,569,806    2,997,806        14,428           225
Tuesday    2012-01-31      662,711,499    3,078,515        14,494           226
Monday     2012-01-30      669,678,914    2,922,867        14,393           224
Sunday     2012-01-29      669,094,497    2,527,593        13,492           224
Saturday   2012-01-28      667,838,465    2,584,018        13,619           225
Friday     2012-01-27      669,464,045    2,705,584        14,298           226
Thursday   2012-01-26      660,517,711    2,743,850        14,399           225
Wednesday  2012-01-25      672,363,351    2,724,077        14,360           226
Tuesday    2012-01-24      662,569,522    2,742,620        14,431           226
Monday     2012-01-23      663,958,091    2,643,513        14,335           224
Sunday     2012-01-22      661,508,706    2,344,133        13,341           226
Saturday   2012-01-21      667,439,537    2,576,162        13,568           224
Friday     2012-01-20      669,547,899    2,842,381        14,381           224
Thursday   2012-01-19      662,091,838    2,991,063        14,501           226
Wednesday  2012-01-18      668,605,245    2,994,222        14,457           227
Tuesday    2012-01-17      662,737,266    3,095,622        14,459           226
Monday     2012-01-16      664,944,089    3,016,309        14,361           225
Sunday     2012-01-15      386,765,640    1,980,070        12,974           222
Friday     2012-01-13      671,544,424    3,028,836        14,401           226
Thursday   2012-01-12      667,238,201    3,030,445        14,394           225
Wednesday  2012-01-11      619,693,936    3,110,724        14,429           224
Tuesday    2012-01-10      658,656,571    3,069,998        14,440           224
Monday     2012-01-09      667,246,817    3,037,251        14,158           224
Sunday     2012-01-08      672,230,838    2,585,351        13,340           223
Saturday   2012-01-07      669,299,323    2,744,131        13,433           224
Friday     2012-01-06      673,454,058    2,996,992        13,937           225
Thursday   2012-01-05      665,958,230    2,977,126        14,062           225
Wednesday  2012-01-04      665,271,442    3,069,802        14,078           225
Tuesday    2012-01-03      623,402,134    2,724,129        13,837           225

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year