On this page... (hide)

Introduction

As security professionals we always are asked how large is the population of an infection. Conficker is no different from any other, and it seems that everyone wants to have some value to use for many different purposes. The press for impact, some vendors for FUD, and others to have a number to compare to other infections. The bottom line is that no one can give an exact number on any infection ever. If anyone ever states exact numbers, they either are controlling it, or are not being completely honest to themselves or others on the means of data collection. We can estimate a number based off of certain traffic types, but we make mistakes as often as anyone else. A lot of the malicious traffic can resemble other legitimate or malicious traffic which of course skews the numbers. On top of simple traffic analysis each threat provides its own unique mechanisms for tracking infection statistics. Each of these methods of course come with their own positives and negatives when discussing accuracy of the data. It is what that in mind that we wanted attempt to draw out some of the pro's and con's of our data collection methodology below.

So, it is with a lot of trepidation that we even show any values for conficker knowing that they will most likely be taken out of context and quoted by many.

Population Numbers

What the following tables show are the daily connections and unique IP's that have been connecting to our tracking systems. Many people equate one IP to one system, but that is not usually the case. If the system is behind a NAT gateway, it would represent dozens or hundreds of systems. If a system is mobile it could be reported several times in a single day under different IP's. And in today's world there are a very large number of mobile users which could inflate the number of connections and unique IP's that are tracked.

What does this really mean? The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.

One last note: we are publishing these numbers to give a better understanding of what we are tracking. We do not believe in shaming anyone related to these values, and is not our purpose in any way.

Data Details

These tables are updated daily from the tracking systems. They are updated only once a day.

Conficker A+B

These tables are specifically for the A+B infections.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-09-07      552,234,520    5,492,168        13,257           228
Monday     2010-09-06      565,089,891    5,492,775        13,026           228
Sunday     2010-09-05      565,393,071    4,841,598        12,271           227
Saturday   2010-09-04      559,962,327    5,078,649        12,384           227
Friday     2010-09-03      562,746,560    5,561,023        13,213           226
Thursday   2010-09-02      546,745,448    5,522,073        13,301           228
Wednesday  2010-09-01      550,502,280    5,689,229        13,280           225
Tuesday    2010-08-31      544,675,460    5,745,742        13,252           226
Monday     2010-08-30      550,181,406    5,710,255        13,199           226
Sunday     2010-08-29      570,681,437    4,987,659        12,232           225
Saturday   2010-08-28      559,516,754    5,193,925        12,402           225
Friday     2010-08-27      567,092,084    5,639,349        13,122           225
Thursday   2010-08-26      553,643,723    5,757,367        13,184           226
Wednesday  2010-08-25      556,862,705    5,776,666        13,232           225
Tuesday    2010-08-24      557,865,937    5,774,622        13,125           225
Monday     2010-08-23      566,586,379    5,771,476        13,121           228
Sunday     2010-08-22      629,258,196    5,021,225        12,213           227
Saturday   2010-08-21      637,620,735    5,228,494        12,353           226
Friday     2010-08-20      571,870,610    5,661,591        13,034           228
Thursday   2010-08-19      615,764,906    5,787,426        13,117           228
Wednesday  2010-08-18      621,088,080    5,879,675        13,069           227
Tuesday    2010-08-17      603,760,443    5,769,788        13,042           227
Monday     2010-08-16      600,903,313    5,718,824        13,010           227
Sunday     2010-08-15      590,921,002    4,924,677        12,124           226
Saturday   2010-08-14      629,983,731    5,220,557        12,260           226
Friday     2010-08-13      635,404,825    5,713,745        12,995           227
Thursday   2010-08-12      645,740,868    5,830,862        13,088           227
Wednesday  2010-08-11      640,514,594    5,949,451        13,067           226
Tuesday    2010-08-10      633,639,108    5,891,345        13,056           225
Monday     2010-08-09      651,308,667    5,889,978        13,070           225

This chart shows the rate of IP's being seen over time.

90-Day

180-Day

Year

Conficker C

These tables are specifically for the C infections

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-09-07        1,859,345      112,354         5,798           176
Monday     2010-09-06        1,778,076      114,014         5,754           176
Sunday     2010-09-05        1,112,706       79,531         4,915           169
Saturday   2010-09-04        1,319,037       90,046         5,103           172
Friday     2010-09-03        1,819,929      113,458         5,714           175
Thursday   2010-09-02        1,745,429      115,470         5,774           177
Wednesday  2010-09-01        1,897,917      118,399         5,756           175
Tuesday    2010-08-31        1,874,053      118,978         5,825           177
Monday     2010-08-30        1,926,730      119,485         5,782           173
Sunday     2010-08-29        1,092,301       82,638         5,002           171
Saturday   2010-08-28        1,231,249       90,330         5,098           172
Friday     2010-08-27        1,790,161      114,520         5,727           173
Thursday   2010-08-26        1,884,266      118,985         5,780           176
Wednesday  2010-08-25        1,853,011      119,489         5,798           176
Tuesday    2010-08-24        1,908,666      119,176         5,762           176
Monday     2010-08-23        1,850,530      119,462         5,778           180
Sunday     2010-08-22        1,130,884       83,011         4,953           167
Saturday   2010-08-21        1,332,255       91,928         5,076           168
Friday     2010-08-20        1,761,581      114,942         5,701           173
Thursday   2010-08-19          840,940      107,807         5,657           174
Wednesday  2010-08-18          526,642      102,588         5,580           173
Tuesday    2010-08-17          539,511      101,393         5,578           175
Monday     2010-08-16          543,110      101,061         5,547           176
Sunday     2010-08-15          337,015       69,494         4,752           167
Saturday   2010-08-14          394,877       79,050         4,929           169
Friday     2010-08-13          556,676      101,400         5,488           175
Thursday   2010-08-12        1,832,577      116,479         5,742           176
Wednesday  2010-08-11        2,191,350      123,130         5,820           177
Tuesday    2010-08-10        2,247,594      124,835         5,880           175
Monday     2010-08-09        1,849,061      123,114         5,830           175

This chart shows the rate of IP's being seen over time. Because of the great difference between the daily totals and the hourly, we are using two Y-Axis values. The Y-Axis on the left is for the daily totals, while the one on the right s for both the hourly lines.

90-Day

180-Day

Year

Conficker A+B+C

This data set is the aggregate of all the conficker infections for today.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Tuesday    2010-09-07      554,093,865    5,571,412        13,511           228
Monday     2010-09-06      566,867,967    5,572,649        13,282           228
Sunday     2010-09-05      566,505,777    4,903,172        12,526           227
Saturday   2010-09-04      561,281,364    5,146,666        12,641           227
Friday     2010-09-03      564,566,489    5,640,766        13,460           226
Thursday   2010-09-02      548,490,877    5,603,472        13,551           228
Wednesday  2010-09-01      552,400,197    5,771,926        13,526           225
Tuesday    2010-08-31      546,549,513    5,828,732        13,497           226
Monday     2010-08-30      552,108,136    5,793,852        13,441           226
Sunday     2010-08-29      571,773,738    5,051,491        12,486           225
Saturday   2010-08-28      560,748,003    5,261,659        12,657           225
Friday     2010-08-27      568,882,245    5,719,736        13,373           225
Thursday   2010-08-26      555,527,989    5,840,551        13,444           226
Wednesday  2010-08-25      558,715,716    5,860,340        13,485           225
Tuesday    2010-08-24      559,774,603    5,858,440        13,377           225
Monday     2010-08-23      568,436,909    5,855,265        13,366           228
Sunday     2010-08-22      630,389,080    5,085,381        12,475           227
Saturday   2010-08-21      638,952,990    5,297,474        12,602           226
Friday     2010-08-20      573,632,191    5,742,604        13,274           228
Thursday   2010-08-19      616,605,846    5,863,418        13,357           228
Wednesday  2010-08-18      621,614,722    5,951,377        13,305           227
Tuesday    2010-08-17      604,299,954    5,841,252        13,288           227
Monday     2010-08-16      601,446,423    5,789,581        13,251           227
Sunday     2010-08-15      591,258,017    4,978,820        12,373           226
Saturday   2010-08-14      630,378,608    5,280,089        12,501           226
Friday     2010-08-13      635,961,501    5,785,194        13,227           227
Thursday   2010-08-12      647,573,445    5,912,380        13,331           227
Wednesday  2010-08-11      642,705,944    6,035,879        13,327           226
Tuesday    2010-08-10      635,886,702    5,979,103        13,301           225
Monday     2010-08-09      653,157,728    5,976,095        13,314           225

90-Day

180-Day

Year

ASN Statistics

These charts represent how many ASN's are effected during the period of the graph.

90-Day

180-Day

Year

Country Statistics

These charts represent how many countries are effected during the period of the graph.

90-Day

180-Day

Year

HTTP Hit Statistics

These charts show how many daily hits from Conficker systems that we are seeing during the period of the graphs. While this is not really representative of an infection population, it does show the level of work that the Conficker Working Group must do daily in dealing with the level of events from Conficker.

90-Day

180-Day

Year