On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-03-09      337,669,175    6,351,531        12,805           226
Monday     2010-03-08      338,155,668    6,284,835        12,478           225
Sunday     2010-03-07      329,896,387    5,729,835        11,775           224
Saturday   2010-03-06      331,981,299    5,995,791        11,894           223
Friday     2010-03-05      354,924,456    6,295,919        12,766           225
Thursday   2010-03-04      373,250,632    6,325,824        12,852           227
Wednesday  2010-03-03      359,794,785    6,313,380        12,813           227
Tuesday    2010-03-02      337,004,936    6,276,509        12,835           226
Monday     2010-03-01      318,658,525    6,166,997        12,800           226
Sunday     2010-02-28      287,961,218    5,645,784        11,833           223
Saturday   2010-02-27      318,692,637    5,930,726        12,065           222
Friday     2010-02-26       78,261,924    4,948,563        12,422           225
Thursday   2010-02-25       76,692,499    4,847,028        12,473           225
Wednesday  2010-02-24       54,544,056    4,766,191        12,469           224
Tuesday    2010-02-23       88,665,841    4,940,868        12,370           225
Monday     2010-02-22       87,870,843    4,883,675        12,329           226
Sunday     2010-02-21      130,762,051    4,999,295        11,726           227
Saturday   2010-02-20      184,069,445    5,141,864        11,836           226
Friday     2010-02-19      165,080,826    4,527,824        12,434           227
Thursday   2010-02-18        2,806,629        8,480         1,232           138
Wednesday  2010-02-17      150,842,074    4,766,975        12,111           226
Tuesday    2010-02-16      184,495,241    5,395,958        12,257           227
Monday     2010-02-15      234,176,809    5,310,922        12,156           225
Sunday     2010-02-14      183,186,698    4,925,235        11,351           224
Saturday   2010-02-13      224,702,821    5,248,969        11,522           223
Friday     2010-02-12      188,748,236    5,765,755        12,256           224
Thursday   2010-02-11      163,057,271    5,997,704        12,324           225
Wednesday  2010-02-10      183,775,873    6,241,341        12,361           226
Tuesday    2010-02-09      159,190,362    6,277,202        12,299           226
Monday     2010-02-08      197,785,792    6,315,079        12,297           225

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-03-09        3,305,586      212,497         7,005           187
Monday     2010-03-08        3,376,954      206,531         6,687           184
Sunday     2010-03-07        2,099,921      152,058         6,085           184
Saturday   2010-03-06        3,077,590      174,543         6,280           183
Friday     2010-03-05        6,208,194      223,699         7,007           186
Thursday   2010-03-04        6,302,375      228,208         7,074           185
Wednesday  2010-03-03        6,430,694      229,544         7,101           185
Tuesday    2010-03-02        6,286,371      231,365         7,126           185
Monday     2010-03-01        6,994,897      226,586         7,083           187
Sunday     2010-02-28        4,552,812      168,230         6,273           186
Saturday   2010-02-27        5,081,936      189,037         6,576           186
Friday     2010-02-26        6,781,396      223,848         7,003           187
Thursday   2010-02-25        7,198,867      234,713         7,139           186
Wednesday  2010-02-24        7,281,288      236,547         7,191           185
Tuesday    2010-02-23        7,202,635      233,909         6,995           189
Monday     2010-02-22        7,064,192      232,607         6,994           188
Sunday     2010-02-21        4,805,156      175,667         6,281           187
Saturday   2010-02-20        5,126,878      185,913         6,419           187
Friday     2010-02-19        6,342,144      213,607         7,064           185
Thursday   2010-02-18        6,765,791      216,180         7,160           190
Wednesday  2010-02-17        6,494,725      213,056         7,123           188
Tuesday    2010-02-16        5,961,919      201,678         7,109           188
Monday     2010-02-15        5,532,269      197,637         6,966           187
Sunday     2010-02-14        4,104,768      157,166         6,222           183
Saturday   2010-02-13        4,608,158      173,722         6,384           183
Friday     2010-02-12        6,075,425      218,018         7,072           190
Thursday   2010-02-11        6,962,261      233,233         7,221           190
Wednesday  2010-02-10        7,188,124      241,042         7,238           188
Tuesday    2010-02-09        7,395,736      243,683         7,305           186
Monday     2010-02-08        7,431,433      245,763         7,285           187

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-03-09      340,974,761    6,499,203        13,154           226
Monday     2010-03-08      341,532,622    6,429,168        12,824           225
Sunday     2010-03-07      335,652,430    5,853,866        12,140           224
Saturday   2010-03-06      335,058,889    6,125,861        12,253           223
Friday     2010-03-05      361,132,650    6,452,710        13,118           225
Thursday   2010-03-04      379,552,985    6,484,564        13,209           227
Wednesday  2010-03-03      366,225,455    6,472,999        13,159           227
Tuesday    2010-03-02      343,291,296    6,437,363        13,204           226
Monday     2010-03-01      325,653,418    6,325,590        13,166           226
Sunday     2010-02-28      301,175,569    5,808,604        12,214           223
Saturday   2010-02-27      323,774,560    6,071,426        12,408           222
Friday     2010-02-26      107,564,394    5,189,542        12,815           225
Thursday   2010-02-25      104,484,532    5,105,390        12,886           225
Wednesday  2010-02-24       79,159,361    5,033,306        12,874           224
Tuesday    2010-02-23      106,652,146    5,134,800        12,762           225
Monday     2010-02-22      113,973,307    5,109,910        12,735           226
Sunday     2010-02-21      146,637,781    5,150,089        12,104           227
Saturday   2010-02-20      199,288,206    5,297,709        12,202           226
Friday     2010-02-19      171,422,970    4,689,146        12,804           227
Thursday   2010-02-18        9,572,420      223,638         7,257           194
Wednesday  2010-02-17      157,336,799    4,929,434        12,602           226
Tuesday    2010-02-16      190,457,160    5,548,791        12,743           227
Monday     2010-02-15      239,709,078    5,460,567        12,622           225
Sunday     2010-02-14      187,291,466    5,050,898        11,820           224
Saturday   2010-02-13      229,310,979    5,385,218        11,983           223
Friday     2010-02-12      194,823,661    5,928,408        12,722           224
Thursday   2010-02-11      170,019,532    6,169,337        12,794           225
Wednesday  2010-02-10      190,963,997    6,417,220        12,830           226
Tuesday    2010-02-09      166,586,098    6,454,011        12,784           226
Monday     2010-02-08      205,217,225    6,493,032        12,786           225

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year