Posted on by Network Situational Awarenessin
Hello, Sid Faber from the Network Situational Awareness group at CERT. Like just about everyone else, we've been following the Conficker worm for a while and thought some updated stats on the Conficker.C variant might be useful.
We've been able to separate Conficker.C peer-to-peer (p2p) traffic from other noise, and have enough sites instrumented to get a pretty good population estimate of currently infected hosts. Overall trends mirror those reported in SRI's Technical Report Addendum titled "Conficker C Analysis," figure 8, with initial onset of p2p scanning on March 5 and an increase on March 17.
Simple capture-recapture estimation based on our monitored networks suggests a total population of approximately 2.3 million IP addresses on March 30. We've observed between 350,000 to 650,000 addresses online during a given hour of the day, with 13:00-15:00Z being the most active time of day.
Conficker.A and Conficker.B originally infected hosts by exploiting a Microsoft Server RPC stack buffer overflow vulnerability, through network shares, or through autorun-enabled USB devices.
Interestingly, since Conficker.C appears to only come from updates to machines infected with Conficker.A or Conficker.B, a transition which only seems to have occurred on March 5th and 17th, the total number of Conficker.C infected addresses is observed to decrease by roughly 50,000 per day as machines are cleaned.
A breakdown of infections by country follows the measurements observed by Conficker.A and Conficker.B as expected. Approximately 16% of the infected addresses come from China, 11% each from Russia and Brazil, and 7% from India.