Two Weeks of Conficker Data and 12 Million Nodes

I got access to some sinkhole logs for Conficker to do some processing. The logs are so big (this is one big sinkhole) that processing them took a few days. I only wanted to focus on the worm’s biggest growth period in early January, so I took a two week section and had a look at it. The worm grew explosively in this time period. The number of unique IPs hitting the sinkhole per day tripled.

2 weeks of growth of uniqe IPs seen by day

Using F-secure’s methods of summing the maximum “q” values seen for a specific IP+user-agent pair in a given day yields this magic value for the last day (and the biggest in the data set I analyzed): 14/Jan/2009, 11949597. Nearly 12 million infected hosts it seems to be reporting. The skeptic on me knows that neither of these two numbers – unique IPs seen in a day and the self reporting “q” value – represent the true number of infected hosts, but it’s a ballpark: many millions.

The worm has not yet begun to update itself, it seems. Some of the domains were registered and pointed at the ASProx botnet it seems. Possible hijacking or maybe someone is just running their own numbers for a day. We don’t know. The ASProx botnet did not seem to handle the update checkin, however. Looking at the geographic distribution of the bots for January 14 reveals some interesting skews:

14 Jan 09 Unique IPs by CC

The worm is thought to have originated in the Ukraine although we have no evidence that says that’s the case. One of the reasons people think this is that the worm tries to skip Ukrainian hosts, for instance exiting if a Ukrainian keyboard layout is found. Looking at the above data it’s clear that these sorts of things don’t always work like you expect them to.

Biggest worm in a while, clearly.

11 Responses to “Two Weeks of Conficker Data and 12 Million Nodes”

January 30, 2009 at 7:42 pm, Malware Analysis & Diagnostic said:

Conficker / Downadup – Microsoft: MSRT Released…

Microsoft vient de mettre à jour son outil de suppression des logiciels malveillants (Malicious Software Removal Tool).

L’outil MSRT est désormais capable de détecter et supprimer le ver Conficker/Downadup.

Si vous cherchez comment d…

February 04, 2009 at 6:15 am, Grupo SVB said:

[…] Jose Nazario, gerente de pesquisas de segurança da Arbor Networks, rastreou a atividade do malware por duas semanas até o dia 14 de janeiro. "O worm cresceu explosivamente durante esse período de tempo. O número de IPs únicos aparecendo triplicou, chegando a 12 milhões no último dia de estúdio", diz Nazario. […]

February 13, 2009 at 11:49 am, NTC IT-Service » Blog Archive » Microsoft bietet Belohnung für Hinweise auf Conficker-Autor said:

[…] von der Variante .A und rund 1,7 Millionen Adressen von der Variante .B täglich infiziert werden. Schätzungen zufolge können weltweit etwa 12 Millionen Systeme von dem Wurm befallen […]

February 13, 2009 at 10:03 pm, Microsoft bounty for worm creator « Xenophilia (True Strange Stuff) said:

[…] The worm is thought to have originated in the Ukraine although we have no evidence that says that’s the case. One of the reasons people think this is that the worm tries to skip Ukrainian hosts, for instance exiting if a Ukrainian keyboard layout is found. – arbornetworks […]

February 16, 2009 at 8:04 am, Wurm "Conficker" infiziert Hunderte Bundeswehr-Computer - Security | News | ZDNet.de said:

[…] Schätzungen zufolge ist Conficker inzwischen weltweit auf 12 Millionen Computern verbreitet. Die hohe Infektionsrate war dann auch vergangene Woche Anlass für Microsoft, eine Belohnung von 250.000 Dollar für Informationen auszuloben, die zur Verhaftung und Verurteilung des Conficker-Autors führt. […]

February 18, 2009 at 3:05 pm, der detektiv said:

Wurm “Conficker” infiziert hunderte Bundeswehr-Computer…

Schädling ist seit vergangenem Donnerstag aktiv. Einzelne Dienststellen sind vom Bundeswehr-Netz getrennt worden, um eine weitere Verbreitung zu verhindern. CERTBw arbeitet an der Entfernung des Wurms. Wie ein Sprecher des Bundesverteidigungsministeri…

February 23, 2009 at 8:40 pm, Downadup—Advanced Crypto Protection said:

[…] so it won’t be a surprise if we see future Downadup domains registered by other criminals. There are also credible reports that this is already happening because some of the future domains pointed to well-known IP […]

March 04, 2009 at 7:08 pm, Downadup « Adm. Rogério Moreira said:

[…] Two Weeks of Conficker Data and 12 Million Nodes [1] Two Weeks of Conficker Data and 12 Million Nodes | Security to the Core | Arbor Networks Security […]

June 05, 2009 at 3:19 pm, Confiker 1 : Worm Characteristics at Digital Threat said:

[…] pointed towards Conficker sinkhole networks that gathered data. Arbor Networks were involved in the analysis of some of this data. Digital Threat is currently analysing DNS rendezvous data from November […]

August 19, 2009 at 1:32 pm, Know What To Do About Conficker Virus « Virus Watch said:

[…] machines, of which there could be as many as 12 million according to a guesstimate by Arbor Networks, could be used to launch distributed denial-of-service attacks on Web sites or seed a new worm, […]

October 19, 2009 at 1:39 pm, Know What To Do About Conficker Virus « :: Open Your Mind :: said:

[…] machines, of which there could be as many as 12 million according to a guesstimate by Arbor Networks, could be used to launch distributed denial-of-service attacks on Web sites or seed a new worm, […]

Comments are closed.