On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2013-06-18      654,934,065    1,697,381        13,654           229
Monday     2013-06-17      658,836,957    1,691,854        13,603           225
Sunday     2013-06-16      610,239,569    1,336,437        12,580           223
Saturday   2013-06-15      608,008,252    1,477,028        12,773           225
Friday     2013-06-14      643,976,092    1,663,967        13,548           224
Thursday   2013-06-13      656,941,424    1,705,340        13,616           227
Wednesday  2013-06-12      642,274,666    1,645,253        13,392           227
Tuesday    2013-06-11      652,487,040    1,672,156        13,608           227
Monday     2013-06-10      635,026,222    1,667,905        13,643           228
Sunday     2013-06-09      599,637,292    1,398,398        12,648           226
Saturday   2013-06-08      639,611,110    1,545,802        12,818           225
Friday     2013-06-07      660,497,763    1,697,857        13,577           227
Thursday   2013-06-06      653,346,677    1,711,757        13,628           229
Wednesday  2013-06-05      642,724,033    1,750,229        13,681           229
Tuesday    2013-06-04                8            1             1             1
Monday     2013-06-03      648,028,751    1,755,414        13,681           227
Sunday     2013-06-02      621,110,114    1,396,924        12,671           227
Saturday   2013-06-01       79,009,617      489,265        10,109           222
Friday     2013-05-31      655,127,039    1,707,299        13,596           227
Thursday   2013-05-30      660,676,926    1,719,607        13,660           227
Wednesday  2013-05-29      655,962,653    1,764,686        13,809           228
Tuesday    2013-05-28      625,178,448    1,763,533        13,869           228
Monday     2013-05-27      659,711,383    1,752,642        13,752           228
Sunday     2013-05-26      610,990,728    1,394,034        12,765           226
Saturday   2013-05-25      622,592,937    1,514,383        12,980           225
Friday     2013-05-24      629,939,907    1,706,330        13,762           227
Thursday   2013-05-23      651,743,264    1,774,438        13,971           228
Wednesday  2013-05-22      648,103,099    1,805,834        14,043           228
Tuesday    2013-05-21      649,160,880    1,808,340        14,112           228
Monday     2013-05-20      659,514,796    1,780,836        13,929           226

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2013-06-18          210,049       13,816         2,285           136
Monday     2013-06-17          220,144       13,957         2,290           139
Sunday     2013-06-16          213,752       11,316         2,170           135
Saturday   2013-06-15          216,738       11,926         2,083           137
Friday     2013-06-14          246,884       14,444         2,324           139
Thursday   2013-06-13          291,355       14,021         2,346           138
Wednesday  2013-06-12          218,796       14,185         2,266           137
Tuesday    2013-06-11          268,100       14,224         2,340           139
Monday     2013-06-10          260,186       14,838         2,383           146
Sunday     2013-06-09          280,545       11,071         2,025           134
Saturday   2013-06-08          175,807       11,778         2,081           135
Friday     2013-06-07          177,336       13,860         2,300           137
Thursday   2013-06-06          228,467       13,859         2,288           137
Wednesday  2013-06-05          180,388       14,359         2,355           138
Tuesday    2013-06-04                                                          
Monday     2013-06-03          216,023       14,685         2,393           140
Sunday     2013-06-02          206,491       11,806         2,047           139
Saturday   2013-06-01           18,784        2,657           759           102
Friday     2013-05-31          198,561       14,830         2,316           139
Thursday   2013-05-30          170,997       13,836         2,304           139
Wednesday  2013-05-29          247,219       14,574         2,361           138
Tuesday    2013-05-28          247,193       14,952         2,425           141
Monday     2013-05-27          219,262       14,396         2,345           139
Sunday     2013-05-26          152,095       11,059         2,070           139
Saturday   2013-05-25          151,334       12,178         2,170           136
Friday     2013-05-24          189,971       14,501         2,377           138
Thursday   2013-05-23          179,996       15,379         2,437           143
Wednesday  2013-05-22          199,378       15,103         2,433           143
Tuesday    2013-05-21          241,764       15,381         2,480           144
Monday     2013-05-20        2,186,630       15,195         2,449           142

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2013-06-18      655,144,114    1,708,031        13,777           229
Monday     2013-06-17      659,057,101    1,702,711        13,727           225
Sunday     2013-06-16      610,453,321    1,345,809        12,792           224
Saturday   2013-06-15      608,224,990    1,486,774        12,909           226
Friday     2013-06-14      644,222,976    1,675,326        13,681           224
Thursday   2013-06-13      657,232,779    1,716,195        13,746           227
Wednesday  2013-06-12      642,493,462    1,656,483        13,517           227
Tuesday    2013-06-11      652,755,140    1,683,280        13,733           227
Monday     2013-06-10      635,286,408    1,679,507        13,777           228
Sunday     2013-06-09      599,917,837    1,407,402        12,781           227
Saturday   2013-06-08      639,786,917    1,555,325        12,948           226
Friday     2013-06-07      660,675,099    1,708,639        13,708           227
Thursday   2013-06-06      653,575,144    1,722,593        13,760           229
Wednesday  2013-06-05      642,904,421    1,761,400        13,812           229
Tuesday    2013-06-04                8            1             1             1
Monday     2013-06-03      648,244,774    1,766,710        13,808           227
Sunday     2013-06-02      621,316,605    1,406,735        12,819           228
Saturday   2013-06-01       79,028,401      491,437        10,167           223
Friday     2013-05-31      655,325,600    1,718,975        13,720           227
Thursday   2013-05-30      660,847,923    1,730,359        13,797           227
Wednesday  2013-05-29      656,209,872    1,775,986        13,933           228
Tuesday    2013-05-28      625,425,641    1,775,229        14,006           228
Monday     2013-05-27      659,930,645    1,763,835        13,882           228
Sunday     2013-05-26      611,142,823    1,403,168        12,913           227
Saturday   2013-05-25      622,744,271    1,524,348        13,109           226
Friday     2013-05-24      630,129,878    1,717,689        13,896           227
Thursday   2013-05-23      651,923,260    1,786,434        14,103           228
Wednesday  2013-05-22      648,302,477    1,817,481        14,172           228
Tuesday    2013-05-21      649,402,644    1,820,251        14,240           228
Monday     2013-05-20      661,701,426    1,792,597        14,059           226

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year