April 14, 2009, 8:24 PM — Security experts say that the Conficker worm has infected an awful lot of computers, making it the largest "botnet" of hacked computers on the planet. The thing they can't seem to agree on, however, is exactly how many people have been hit.
The group of researchers that has been most closely tracking -- and battling -- the worm has now released its own estimate of Conficker's size. According to data compiled by the Conficker Working Group, Conficker has been spotted on just under 4.6 million unique IP addresses. Its earlier A and B variants account for the lion's share of that -- 3.4 million IP addresses -- with the more-recent C variant spotted at 1.2 million addresses.
The countries measuring the largest number of infections for all variants are China, Brazil and Russia.
Conficker has been infecting Windows machines since October, but in recent weeks it has been getting a lot of attention as a newer version of the worm, Conficker.C, has updated the way it looks for instructions, making it much harder to stop.
Over the past weekend, Conficker infected nearly 800 PCs at the University of Utah's Health Sciences Center. IT staff there think it might have gotten on the network via an infected thumb drive. Once installed on one PC, Conficker is very effective at seeking out other unpatched Windows machines to spread.
Users who wonder if they're infected by the worm can try out this simple test developed by SecureWorks.
Studies done two weeks ago by OpenDNS and IBM's Internet Security Systems group had suggested that as many as 4 percent of PCs might have been hit with the Conficker worm, but the Working Group's analysis suggests the number is likely much lower.
"We're hoping that publishing these numbers will throw a little bit of reality into the equation," said Andre DiMino, cofounder of The Shadowserver Foundation and a member of the Working Group. He does not believe that 4 percent of PCs were infected. "It's hard to make a case for that right now," he said.
But the actual number of infections could be higher or lower than 4.6 million, DiMino admitted. Because the Working Group's method counts IP addresses, they may have over-counted consumers who log on from multiple IP addresses, or undercounted corporate infections, which are often hidden behind a single IP address.
OpenDNS, IBM and the Working Group all used different techniques to arrive at their estimates, but they all rely on the fact that infected machines need to check in with a "command and control" server for instructions. The Working Group got its data by setting up "sinkhole" servers at points on the Internet used by infected machines to download instructions. They did this by taking over the Internet domains that Conficker is programmed to visit to search for those instructions.
The number of infections measured by the Working Group is in line with its estimates of earlier variants of the worm, DiMino said. "Not all of the As and Bs have been turned into Cs," he said.
To complicate matters further, a new variant of Conficker was spotted last week, and this one communicates primarily using peer-to-peer techniques, which are not easily measured by the Working Group's sinkhole servers. This means the group will probably need to develop a new way of counting infections as the peer-to-peer variant spreads, DiMino said.
Even though the Working Group's data is, at first glance, quite different from IBM's, its results are not a surprise, according to Holly Stewart, a threat response manager with IBM's Internet Security Systems (ISS). It's "really hard" to get a fix on the size of the botnet, she said. "I don't think anyone has a perfect answer," she said. "They have one data point and we have another data point."
"If you ask me what the true number is," she added, "we don't know."
