On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-07-27      653,910,053    6,031,233        13,022           225
Monday     2010-07-26      641,164,040    6,009,023        13,000           227
Sunday     2010-07-25      671,625,562    5,161,197        12,090           225
Saturday   2010-07-24      645,546,542    5,416,013        12,182           223
Friday     2010-07-23      659,075,104    5,896,356        12,952           225
Thursday   2010-07-22      651,395,739    6,023,917        13,106           227
Wednesday  2010-07-21      637,242,722    6,048,065        13,067           225
Tuesday    2010-07-20      631,545,225    6,069,365        13,082           226
Monday     2010-07-19      633,498,570    6,051,025        13,021           227
Sunday     2010-07-18      653,902,396    5,177,140        12,092           225
Saturday   2010-07-17      647,237,823    5,414,991        12,153           224
Friday     2010-07-16      645,638,115    5,926,061        12,955           225
Thursday   2010-07-15      630,343,333    6,057,798        13,075           227
Wednesday  2010-07-14      628,777,632    6,108,396        13,028           226
Tuesday    2010-07-13      621,704,390    6,161,863        13,076           226
Monday     2010-07-12      635,198,568    6,104,337        13,017           225
Sunday     2010-07-11      638,496,874    5,379,445        12,095           225
Saturday   2010-07-10      620,711,605    5,473,034        12,166           225
Friday     2010-07-09      598,071,840    5,952,858        12,860           225
Thursday   2010-07-08      710,298,890    6,171,540        13,162           228
Wednesday  2010-07-07      782,797,256    6,213,698        13,209           228
Tuesday    2010-07-06      588,728,964    6,130,047        13,066           228
Monday     2010-07-05      569,553,024    5,943,901        12,767           227
Sunday     2010-07-04      572,231,542    5,181,679        12,021           226
Saturday   2010-07-03      550,107,002    5,370,355        12,157           226
Friday     2010-07-02      534,028,952    5,719,575        12,771           227
Thursday   2010-07-01      540,995,349    5,791,372        12,993           227
Wednesday  2010-06-30      571,924,731    6,042,825        13,015           227
Tuesday    2010-06-29      559,830,145    6,018,618        13,025           227
Monday     2010-06-28      517,449,849    5,913,291        12,927           228

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-07-27        1,958,801      130,750         5,920           176
Monday     2010-07-26        2,138,692      130,545         5,905           179
Sunday     2010-07-25        1,208,679       90,166         5,091           176
Saturday   2010-07-24        1,450,825      100,193         5,217           174
Friday     2010-07-23        2,071,186      128,365         5,829           175
Thursday   2010-07-22        2,081,113      131,097         5,915           176
Wednesday  2010-07-21        2,180,357      132,582         5,966           175
Tuesday    2010-07-20        2,050,466      133,323         5,951           179
Monday     2010-07-19        2,109,445      134,116         5,988           179
Sunday     2010-07-18        1,047,643       90,583         5,067           175
Saturday   2010-07-17        1,211,608      100,746         5,207           172
Friday     2010-07-16        1,741,374      128,484         5,873           178
Thursday   2010-07-15        1,825,461      133,066         5,975           177
Wednesday  2010-07-14        1,815,562      133,912         6,004           180
Tuesday    2010-07-13        1,844,604      136,179         6,007           179
Monday     2010-07-12        1,801,874      135,814         6,024           182
Sunday     2010-07-11        1,090,081       93,061         5,157           175
Saturday   2010-07-10        1,241,798      101,916         5,278           171
Friday     2010-07-09        1,780,342      130,421         5,921           182
Thursday   2010-07-08        2,185,862      136,655         6,020           184
Wednesday  2010-07-07        2,219,667      140,874         6,084           182
Tuesday    2010-07-06        2,353,379      142,824         6,122           180
Monday     2010-07-05        2,239,502      139,888         6,011           184
Sunday     2010-07-04        1,255,475       96,465         5,173           173
Saturday   2010-07-03        1,527,405      107,946         5,322           175
Friday     2010-07-02        2,248,255      137,893         6,036           178
Thursday   2010-07-01        2,270,452      142,593         6,133           180
Wednesday  2010-06-30        2,738,366      146,131         6,171           181
Tuesday    2010-06-29        2,797,499      147,589         6,209           180
Monday     2010-06-28        2,712,778      146,208         6,131           180

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-07-27      655,868,854    6,123,882        13,280           225
Monday     2010-07-26      643,302,732    6,101,493        13,249           227
Sunday     2010-07-25      672,834,241    5,231,411        12,348           225
Saturday   2010-07-24      646,997,367    5,491,678        12,439           223
Friday     2010-07-23      661,146,290    5,987,267        13,207           225
Thursday   2010-07-22      653,476,852    6,116,376        13,358           227
Wednesday  2010-07-21      639,423,079    6,141,349        13,324           225
Tuesday    2010-07-20      633,595,691    6,163,397        13,342           226
Monday     2010-07-19      635,608,015    6,145,718        13,280           227
Sunday     2010-07-18      654,950,039    5,247,625        12,339           225
Saturday   2010-07-17      648,449,431    5,490,864        12,404           224
Friday     2010-07-16      647,379,489    6,016,724        13,215           225
Thursday   2010-07-15      632,168,794    6,151,259        13,333           227
Wednesday  2010-07-14      630,593,194    6,202,837        13,288           226
Tuesday    2010-07-13      623,548,994    6,257,780        13,336           226
Monday     2010-07-12      637,000,442    6,199,691        13,277           225
Sunday     2010-07-11      639,586,955    5,451,270        12,358           225
Saturday   2010-07-10      621,953,403    5,549,856        12,428           225
Friday     2010-07-09      599,852,182    6,045,077        13,139           225
Thursday   2010-07-08      712,484,752    6,266,685        13,415           228
Wednesday  2010-07-07      785,016,923    6,311,573        13,468           228
Tuesday    2010-07-06      591,082,343    6,230,607        13,342           228
Monday     2010-07-05      571,792,526    6,042,945        13,048           227
Sunday     2010-07-04      573,487,017    5,256,897        12,297           226
Saturday   2010-07-03      551,634,407    5,451,942        12,429           226
Friday     2010-07-02      536,277,207    5,817,814        13,068           227
Thursday   2010-07-01      543,265,801    5,892,114        13,273           227
Wednesday  2010-06-30      574,663,097    6,146,020        13,305           227
Tuesday    2010-06-29      562,627,644    6,122,477        13,298           227
Monday     2010-06-28      520,162,627    6,016,627        13,214           228

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year