On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2012-05-15      671,772,478    2,658,280        14,020           226
Monday     2012-05-14      673,303,454    2,650,910        14,033           225
Sunday     2012-05-13      655,952,652    2,196,031        12,992           224
Saturday   2012-05-12      673,435,532    2,364,412        13,342           224
Friday     2012-05-11      673,065,681    2,591,325        14,108           226
Thursday   2012-05-10      673,711,696    2,632,983        14,201           226
Wednesday  2012-05-09      673,731,551    2,619,655        13,894           226
Tuesday    2012-05-08      673,646,867    2,633,473        14,018           223
Monday     2012-05-07      674,155,081    2,627,666        13,992           225
Sunday     2012-05-06      672,502,181    2,194,814        13,152           224
Saturday   2012-05-05      673,603,803    2,377,313        13,567           223
Friday     2012-05-04      673,247,466    2,609,934        14,190           225
Thursday   2012-05-03      672,978,384    2,649,550        14,175           227
Wednesday  2012-05-02      672,788,062    2,637,126        14,144           226
Tuesday    2012-05-01      671,831,420    2,281,092        13,456           224
Monday     2012-04-30      673,955,137    2,440,520        13,777           226
Sunday     2012-04-29      671,985,999    2,165,040        13,163           224
Saturday   2012-04-28      674,908,295    2,430,879        13,585           223
Friday     2012-04-27      673,194,189    2,616,990        14,228           224
Thursday   2012-04-26      674,259,656    2,678,080        14,357           224
Wednesday  2012-04-25      673,865,159    2,679,497        14,331           225
Tuesday    2012-04-24      672,586,245    2,699,736        14,336           224
Monday     2012-04-23      674,379,982    2,679,419        14,355           223
Sunday     2012-04-22      673,883,956    2,254,581        13,253           223
Saturday   2012-04-21      672,098,141    2,419,870        13,458           223
Friday     2012-04-20      672,724,476    2,663,982        14,270           225
Thursday   2012-04-19      668,500,897    2,695,771        14,325           224
Wednesday  2012-04-18      670,653,625    2,717,507        14,361           223
Tuesday    2012-04-17      669,956,531    2,716,190        14,314           223
Monday     2012-04-16      672,241,344    2,665,524        14,129           222

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2012-05-15          291,008       26,879         3,153           148
Monday     2012-05-14          341,976       26,642         3,177           149
Sunday     2012-05-13          256,132       18,440         2,662           141
Saturday   2012-05-12          257,016       20,629         2,840           145
Friday     2012-05-11          348,304       24,962         3,143           147
Thursday   2012-05-10          325,462       25,424         3,139           151
Wednesday  2012-05-09          376,496       25,367         3,046           148
Tuesday    2012-05-08          272,322       25,825         3,065           148
Monday     2012-05-07          326,692       25,533         3,118           145
Sunday     2012-05-06          318,094       19,362         2,734           142
Saturday   2012-05-05          209,138       20,622         2,833           145
Friday     2012-05-04          285,764       25,152         3,096           147
Thursday   2012-05-03          288,951       25,767         3,162           146
Wednesday  2012-05-02          317,779       25,382         3,108           147
Tuesday    2012-05-01          223,498       19,993         2,793           144
Monday     2012-04-30          264,385       22,757         2,964           146
Sunday     2012-04-29          243,082       18,820         2,717           140
Saturday   2012-04-28          604,986       21,488         2,935           146
Friday     2012-04-27          599,678       25,648         3,191           148
Thursday   2012-04-26          296,790       26,723         3,231           149
Wednesday  2012-04-25          329,515       26,172         3,251           146
Tuesday    2012-04-24          368,569       26,942         3,255           148
Monday     2012-04-23          384,792       26,974         3,284           148
Sunday     2012-04-22          284,083       19,552         2,805           144
Saturday   2012-04-21          669,096       24,126         2,852           143
Friday     2012-04-20          346,368       29,013         3,225           148
Thursday   2012-04-19          305,466       29,321         3,197           150
Wednesday  2012-04-18          267,449       29,394         3,242           151
Tuesday    2012-04-17          294,345       28,771         3,199           149
Monday     2012-04-16          550,629       27,805         3,135           145

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2012-05-15      672,063,486    2,678,469        14,159           226
Monday     2012-05-14      673,645,430    2,670,795        14,177           225
Sunday     2012-05-13      656,208,784    2,210,899        13,147           224
Saturday   2012-05-12      673,692,548    2,380,703        13,497           224
Friday     2012-05-11      673,413,985    2,609,875        14,260           226
Thursday   2012-05-10      674,037,158    2,651,674        14,341           226
Wednesday  2012-05-09      674,108,047    2,638,367        14,054           226
Tuesday    2012-05-08      673,919,189    2,652,576        14,172           223
Monday     2012-05-07      674,481,773    2,646,546        14,156           225
Sunday     2012-05-06      672,820,275    2,210,218        13,301           224
Saturday   2012-05-05      673,812,941    2,393,395        13,711           223
Friday     2012-05-04      673,533,230    2,628,403        14,329           225
Thursday   2012-05-03      673,267,335    2,668,445        14,319           227
Wednesday  2012-05-02      673,105,841    2,655,851        14,283           226
Tuesday    2012-05-01      672,054,918    2,296,671        13,590           224
Monday     2012-04-30      674,219,522    2,457,779        13,923           226
Sunday     2012-04-29      672,229,081    2,179,934        13,319           224
Saturday   2012-04-28      675,513,281    2,447,515        13,738           223
Friday     2012-04-27      673,793,867    2,635,835        14,372           224
Thursday   2012-04-26      674,556,446    2,697,535        14,499           224
Wednesday  2012-04-25      674,194,674    2,698,862        14,470           225
Tuesday    2012-04-24      672,954,814    2,719,594        14,477           224
Monday     2012-04-23      674,764,774    2,699,347        14,501           223
Sunday     2012-04-22      674,168,039    2,270,115        13,404           223
Saturday   2012-04-21      672,767,237    2,439,219        13,606           223
Friday     2012-04-20      673,070,844    2,686,082        14,422           225
Thursday   2012-04-19      668,806,363    2,717,827        14,457           224
Wednesday  2012-04-18      670,921,074    2,739,695        14,499           223
Tuesday    2012-04-17      670,250,876    2,737,901        14,456           223
Monday     2012-04-16      672,791,973    2,686,424        14,263           222

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year