Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Jose Nazario, Arbor Networks: Two Weeks of Conficker Data and 12 Million Nodes

February 2009 by Jose Nazario, Arbor Networks

I got access to some sinkhole logs for Conficker to do some processing. The logs are so big (this is one big sinkhole) that processing them took a few days. I only wanted to focus on the worm’s biggest growth period in early January, so I took a two week section and had a look at it. The worm grew explosively in this time period. The number of unique IPs hitting the sinkhole per day tripled.

2 weeks of growth of uniqe IPs seen by day

Using F-secure’s methods of summing the maximum “q” values seen for a specific IP+user-agent pair in a given day yields this magic value for the last day (and the biggest in the data set I analyzed): 14/Jan/2009, 11949597. Nearly 12 million infected hosts it seems to be reporting. The skeptic on me knows that neither of these two numbers - unique IPs seen in a day and the self reporting “q” value - represent the true number of infected hosts, but it’s a ballpark: many millions.

The worm has not yet begun to update itself, it seems. Some of the domains were registered and pointed at the ASProx botnet it seems. Possible hijacking or maybe someone is just running their own numbers for a day. We don’t know. The ASProx botnet did not seem to handle the update checkin, however. Looking at the geographic distribution of the bots for January 14 reveals some interesting skews:

14 Jan 09 Unique IPs by CC

The worm is thought to have originated in the Ukraine although we have no evidence that says that’s the case. One of the reasons people think this is that the worm tries to skip Ukrainian hosts, for instance exiting if a Ukrainian keyboard layout is found. Looking at the above data it’s clear that these sorts of things don’t always work like you expect them to.

Biggest worm in a while, clearly.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts