On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2009-11-19      453,076,158    6,409,218        12,436           230
Wednesday  2009-11-18      424,903,006    6,409,292        12,427           227
Tuesday    2009-11-17      398,237,943    6,352,212        12,416           229
Monday     2009-11-16      383,255,281    6,385,018        12,415           229
Sunday     2009-11-15      384,085,619    5,883,337        11,455           226
Saturday   2009-11-14      411,901,480    5,955,949        11,543           227
Friday     2009-11-13      357,180,437    6,266,027        12,395           228
Thursday   2009-11-12      457,595,969    6,514,181        12,513           229
Wednesday  2009-11-11      375,877,603    6,242,649        12,380           228
Tuesday    2009-11-10      362,853,237    6,221,209        12,467           225
Monday     2009-11-09      379,258,064    6,338,272        12,400           227
Sunday     2009-11-08      409,937,141    6,008,677        11,445           227
Saturday   2009-11-07      419,895,890    6,126,453        11,520           228
Friday     2009-11-06      409,711,644    6,442,240        12,369           228
Thursday   2009-11-05      380,127,983    6,419,618        12,423           229
Wednesday  2009-11-04      420,601,826    6,427,233        12,316           229
Tuesday    2009-11-03      408,164,394    6,431,886        12,399           228
Monday     2009-11-02      382,703,750    6,282,341        12,305           228
Sunday     2009-11-01      361,716,807    5,809,264        11,399           227
Saturday   2009-10-31      360,828,948    6,261,266        11,523           228
Friday     2009-10-30      419,525,551    6,671,039        12,239           227
Thursday   2009-10-29      423,368,007    6,732,795        12,331           228
Wednesday  2009-10-28      360,183,546    6,548,195        12,339           227
Tuesday    2009-10-27      361,145,927    6,621,596        12,371           228
Monday     2009-10-26      347,322,152    6,463,128        12,310           227
Sunday     2009-10-25      365,396,474    6,130,691        11,345           227
Saturday   2009-10-24      393,345,782    6,128,693        11,417           224
Friday     2009-10-23      401,785,110    6,607,745        12,191           226
Thursday   2009-10-22      421,436,707    6,500,770        12,267           227
Wednesday  2009-10-21      411,112,408    6,477,491        12,279           227

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2009-11-19       13,039,853      356,108         7,796           192
Wednesday  2009-11-18       13,202,115      358,500         7,825           195
Tuesday    2009-11-17       13,099,732      361,241         7,860           192
Monday     2009-11-16       13,817,213      362,849         7,796           192
Sunday     2009-11-15        9,172,137      273,931         6,973           189
Saturday   2009-11-14        9,574,778      296,356         7,036           189
Friday     2009-11-13       13,533,746      361,105         7,748           194
Thursday   2009-11-12       13,855,852      370,351         7,870           193
Wednesday  2009-11-11       14,120,291      372,022         7,827           195
Tuesday    2009-11-10       14,231,268      376,730         7,895           198
Monday     2009-11-09       13,856,978      376,746         7,866           197
Sunday     2009-11-08        9,445,040      284,417         6,986           190
Saturday   2009-11-07        9,941,598      307,343         7,098           194
Friday     2009-11-06       13,642,951      369,867         7,787           197
Thursday   2009-11-05       14,218,182      379,449         7,877           196
Wednesday  2009-11-04       14,757,697      378,640         7,720           197
Tuesday    2009-11-03       14,457,586      384,368         7,901           196
Monday     2009-11-02       13,001,979      363,699         7,827           196
Sunday     2009-11-01        8,580,729      283,239         6,963           190
Saturday   2009-10-31        9,915,206      313,873         7,118           192
Friday     2009-10-30       14,481,490      378,137         7,823           194
Thursday   2009-10-29       14,812,800      388,100         7,907           195
Wednesday  2009-10-28       14,711,681      391,906         7,944           199
Tuesday    2009-10-27       14,798,322      396,099         7,991           198
Monday     2009-10-26       14,810,577      396,742         7,963           196
Sunday     2009-10-25        9,849,590      299,238         7,039           194
Saturday   2009-10-24       11,019,469      326,438         7,197           197
Friday     2009-10-23       14,369,491      388,142         7,857           197
Thursday   2009-10-22       15,180,876      402,654         7,990           200
Wednesday  2009-10-21       14,892,433      407,147         7,991           197

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Thursday   2009-11-19      466,116,011    6,659,892        12,848           230
Wednesday  2009-11-18      438,105,121    6,662,061        12,846           227
Tuesday    2009-11-17      411,337,675    6,607,362        12,848           229
Monday     2009-11-16      397,072,494    6,641,679        12,849           229
Sunday     2009-11-15      393,257,756    6,093,983        11,889           226
Saturday   2009-11-14      421,476,258    6,178,409        11,974           227
Friday     2009-11-13      370,714,183    6,522,404        12,815           228
Thursday   2009-11-12      471,451,821    6,775,847        12,944           229
Wednesday  2009-11-11      430,467,923    6,719,053        12,841           228
Tuesday    2009-11-10      377,084,505    6,488,583        12,907           225
Monday     2009-11-09      410,733,199    6,792,657        12,860           227
Sunday     2009-11-08      419,382,181    6,227,290        11,884           227
Saturday   2009-11-07      429,837,488    6,356,938        11,937           228
Friday     2009-11-06      423,354,595    6,705,168        12,796           228
Thursday   2009-11-05      394,346,165    6,688,089        12,854           229
Wednesday  2009-11-04      435,359,523    6,696,109        12,765           229
Tuesday    2009-11-03      422,621,980    6,703,854        12,823           228
Monday     2009-11-02      395,705,729    6,542,784        12,756           228
Sunday     2009-11-01      370,297,536    6,027,616        11,843           227
Saturday   2009-10-31      370,744,154    6,495,561        11,963           228
Friday     2009-10-30      434,007,041    6,938,477        12,663           227
Thursday   2009-10-29      438,180,807    7,006,349        12,763           228
Wednesday  2009-10-28      387,293,057    7,005,113        12,791           227
Tuesday    2009-10-27      375,944,249    6,901,298        12,825           228
Monday     2009-10-26      373,529,755    6,925,029        12,758           227
Sunday     2009-10-25      375,246,064    6,359,988        11,792           227
Saturday   2009-10-24      404,365,251    6,373,189        11,862           224
Friday     2009-10-23      416,154,601    6,883,271        12,650           226
Thursday   2009-10-22      436,617,583    6,786,029        12,719           227
Wednesday  2009-10-21      426,004,841    6,765,526        12,737           227

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year