Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Experts bicker over Conficker numbers

Is it 4.6 million infected PCs or not?

Article comments

Security experts say that the Conficker worm has infected an awful lot of computers, making it the largest "botnet" of hacked computers on the planet. The thing they can't seem to agree on, however, is exactly how many people have been hit.

The group of researchers that has been most closely tracking - and battling - the worm has now released its own estimate of Conficker's size. According to data compiled by the Conficker Working Group, Conficker has been spotted on just under 4.6 million unique IP addresses.

Its earlier A and B variants account for the lion's share of that - 3.4 million IP addresses - with the more-recent C variant spotted at 1.2 million addresses.

The countries measuring the largest number of infections for all variants are China, Brazil and Russia.

Conficker has been infecting Windows machines since October, but in recent weeks it has been getting a lot of attention as a newer version of the worm, Conficker.C, has updated the way it looks for instructions, making it much harder to stop.

Over the past weekend, Conficker infected nearly 800 PCs at the University of Utah's Health Sciences Center. IT staff there think it might have gotten on the network via an infected thumb drive. Once installed on one PC, Conficker is very effective at seeking out other unpatched Windows machines to spread.

Studies done two weeks ago by OpenDNS and IBM's Internet Security Systems group had suggested that as many as 4 percent of PCs might have been hit with the Conficker worm, but the Working Group's analysis suggests the number is likely much lower.

"We're hoping that publishing these numbers will throw a little bit of reality into the equation," said Andre DiMino, cofounder of The Shadowserver Foundation and a member of the Working Group. He does not believe that 4 percent of PCs were infected. "It's hard to make a case for that right now," he said.

But the actual number of infections could be higher or lower than 4.6 million, DiMino admitted. Because the Working Group's method counts IP addresses, they may have over-counted consumers who log on from multiple IP addresses, or undercounted corporate infections, which are often hidden behind a single IP address.

OpenDNS, IBM and the Working Group all used different techniques to arrive at their estimates, but they all rely on the fact that infected machines need to check in with a "command and control" server for instructions. The Working Group got its data by setting up "sinkhole" servers at points on the Internet used by infected machines to download instructions. They did this by taking over the Internet domains that Conficker is programmed to visit to search for those instructions.

The number of infections measured by the Working Group is in line with its estimates of earlier variants of the worm, DiMino said. "Not all of the As and Bs have been turned into Cs," he said.

To complicate matters further, a new variant of Conficker was spotted last week, and this one communicates primarily using peer-to-peer techniques, which are not easily measured by the Working Group's sinkhole servers. This means the group will probably need to develop a new way of counting infections as the peer-to-peer variant spreads, DiMino said.

Even though the Working Group's data is, at first glance, quite different from IBM's, its results are not a surprise, according to Holly Stewart, a threat response manager with IBM's Internet Security Systems (ISS). It's "really hard" to get a fix on the size of the botnet, she said. "I don't think anyone has a perfect answer," she said. "They have one data point and we have another data point."

"If you ask me what the true number is," she added, "we don't know."



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *