Conficker group says worm 4.6 million strong

The total number of infected PCs could be higher, however

Security experts say that the Conficker worm has infected an awful lot of computers, making it the largest "botnet" of hacked computers on the planet. The thing they can't seem to agree on, however, is exactly how many people have been hit.

The group of researchers that has been most closely tracking - and battling - the worm has now released its own estimate of Conficker's size.

According to data compiled by the Conficker Working Group, Conficker has been spotted on just under 4.6 million unique IP addresses. Its earlier A and B variants account for the lion's share of that - 3.4 million IP addresses - with the more-recent C variant spotted at 1.2 million addresses.

The countries measuring the largest number of infections for all variants are China, Brazil and Russia.

Conficker has been infecting Windows machines since October, but in recent weeks it has been getting a lot of attention as a newer version of the worm, Conficker.C, has updated the way it looks for instructions, making it much harder to stop.

Over the past weekend, Conficker infected nearly 800 PCs at the University of Utah's Health Sciences Center. IT staff there think it might have gotten on the network via an infected thumb drive. Once installed on one PC, Conficker is very effective at seeking out other unpatched Windows machines to spread.

Users who wonder if they're infected by the worm can try out this simple test developed by SecureWorks.

Studies done two weeks ago by OpenDNS and IBM's Internet Security Systems group had suggested that as many as 4 percent of PCs might have been hit with the Conficker worm, but the Working Group's analysis suggests the number is likely much lower.

"We're hoping that publishing these numbers will throw a little bit of reality into the equation," said Andre DiMino, cofounder of The Shadowserver Foundation and a member of the Working Group. He does not believe that 4 percent of PCs were infected. "It's hard to make a case for that right now," he said.

But the actual number of infections could be higher or lower than 4.6 million, DiMino admitted. Because the Working Group's method counts IP addresses, they may have over-counted consumers who log on from multiple IP addresses, or undercounted corporate infections, which are often hidden behind a single IP address.

OpenDNS, IBM and the Working Group all used different techniques to arrive at their estimates, but they all rely on the fact that infected machines need to check in with a "command and control" server for instructions.

The Working Group got its data by setting up "sinkhole" servers at points on the Internet used by infected machines to download instructions. They did this by taking over the Internet domains that Conficker is programmed to visit to search for those instructions.

The number of infections measured by the Working Group is in line with its estimates of earlier variants of the worm, DiMino said. "Not all of the As and Bs have been turned into Cs," he said.

To complicate matters further, a new variant of Conficker was spotted last week, and this one communicates primarily using peer-to-peer techniques, which are not easily measured by the Working Group's sinkhole servers. This means the group will probably need to develop a new way of counting infections as the peer-to-peer variant spreads, DiMino said.

Even though the Working Group's data is, at first glance, quite different from IBM's, its results are not a surprise, according to Holly Stewart, a threat response manager with IBM's Internet Security Systems (ISS).

It's "really hard" to get a fix on the size of the botnet, she said. "I don't think anyone has a perfect answer," she said. "They have one data point and we have another data point."

"If you ask me what the true number is," she added, "we don't know."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags wormconflickermalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?