Internet Security Systems - AlertCon(TM)

Counting Confickers

Posted by Holly Stewart on April 02, 2009 at 1:33 PM EDT.

Now that the ambiguity about what is going to happen on April 1 (nothing) is behind us, the next question that seems to be on everyone’s mind is how many infections are really out there.  We’ve been holding off on releasing our numbers because we keep seeing the numbers climb considerably each day.

Also, several folks have been interested in the timeline of our research, deployment of protection, and when we started counting, basically. Here’s a quick look at it:

Wed., March 18: Mark starts analyzing a sample Conficker.C.
Fri., March 20: The general analysis of the worm is complete except for the protocol analysis.  Mark starts researching the protocol component.
Tue., March 24: Mark hands over his research to our content delivery team
Thur., March 26: Beta content was pushed out to our X-Force Research Appliance customers and to our customers that participate in our Managed Security Services (MSS) beta program.  The infected IPs start rolling in, confirming that we need to rush this content update out to our customers ASAP.
Fri., March 27: Our protection updates are released to all customers.  We monitor the situation over the weekend and into the following week.  Each day, the number of infected IPs jumps considerably, so we hold off releasing exact numbers, hoping to reach a plateau that is fairly consistent from day to day.

There are a few factors that prevented us from getting an exact count from day one.  First, we initially rolled out content to our X-Force Research Appliance customers (a type of beta program that gets early content out to our non-managed customers) and to our Managed Security Services (MSS) customers involved in the Beta program that rolls out a pre-release version of our updates.  These updates only gave us limited visibility into the problem (and limited infections), but it was enough to see that it was going to help us uncover a lot of infections as we rolled it out to everyone.  Second, since the Peer-to-Peer chatter is so constant and many of these sensors are deployed on very busy networks, we designed our signature to report wisely in a way that would not over-burden the reporting capabilities of the agents.  Depending on the network, you can tune this up or down.  We are able to block all of the traffic easily (we block all IPs that match the traffic that we see), but reporting (generating an alert and sending it to the console) is another matter.  So, the tuning takes care of the reporting, but it means that only one infection source is reported over a certain period of time even if we see and block many IPs during that time.  Statistically, we will eventually see all infected IPs, but this is another reason why we have waited for a series of days to put out a number.  I know this is a lengthy, technical explanation, but I just want everyone to understand that we were trying to be a responsible reporter.  We simply didn’t want to report a number that would be an inaccurate representation of the truth.

So, with that said, I want to list just a few more caveats so that everyone out there can understand these numbers and interpret them in an appropriate way.  First, our count is based on distinct IP address.  Most personal computers these days use DHCP, which means that their IP address can change every time they connect to a network.  For this reason, some of the hosts are most certainly counted more than one time in our numbers. On the other hand, many infected computers may be behind NAT devices, and in those cases multiple infected computers may only be counted a single time in our numbers.  

Second, we are not seeing every host in the world.  We are seeing infected hosts that try to contact addresses protected by our Proventia agents.  Externally-facing agents, such as a managed Proventia IPS or Proventia Server that sit outside a firewall or a managed Proventia Desktop that is connected to a consumer ISP will see a lot of Conficker.C peer-to-peer traffic. We have a global view from over 20K devices in 133 countries across 3,800 customers, but most of those devices are internally facing and won't see Internet Conficker events.

Ok, so, finally, here are the numbers:

Total unique IPs using Conficker.C peer-to-peer communication that we’ve seen since Thur., March 26, 2009 until around noon today (EST):
221,598

Total Unique IPs Seen Daily
Monday, March 30, 2009 37,072
Tuesday, March 31, 2009 53,051
Wednesday, April 01, 2009 64,101

Since we’re not seeing all IPs in the world, one might calculate an estimated percentage based on the total number of IPs (related to other security events) that we have seen during the same time period.  Using that metric (with all of its imperfections and caveats) would put the infection rate at about 4%.  Here's a chart that represents that estimate:

4/2/2009 3:45PM: Updated graphic to clarify percentages

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.