Two Weeks of Conficker Data and 12 Million Nodes
I got access to some sinkhole logs for Conficker to do some processing. The logs are so big (this is one big sinkhole) that processing them took a few days. I only wanted to focus on the worm’s biggest growth period in early January, so I took a two week section and had a look at it. The worm grew explosively in this time period. The number of unique IPs hitting the sinkhole per day tripled.
Using F-secure’s methods of summing the maximum “q” values seen for a specific IP+user-agent pair in a given day yields this magic value for the last day (and the biggest in the data set I analyzed): 14/Jan/2009, 11949597. Nearly 12 million infected hosts it seems to be reporting. The skeptic on me knows that neither of these two numbers – unique IPs seen in a day and the self reporting “q” value – represent the true number of infected hosts, but it’s a ballpark: many millions.
The worm has not yet begun to update itself, it seems. Some of the domains were registered and pointed at the ASProx botnet it seems. Possible hijacking or maybe someone is just running their own numbers for a day. We don’t know. The ASProx botnet did not seem to handle the update checkin, however. Looking at the geographic distribution of the bots for January 14 reveals some interesting skews:
The worm is thought to have originated in the Ukraine although we have no evidence that says that’s the case. One of the reasons people think this is that the worm tries to skip Ukrainian hosts, for instance exiting if a Ukrainian keyboard layout is found. Looking at the above data it’s clear that these sorts of things don’t always work like you expect them to.
Biggest worm in a while, clearly.