Conficker Infection Analysis Turns Spotlight on Number of Compromises

An analysis by Kaspersky Lab has identified roughly 200,000 unique IPs participating in Conficker's peer-to-peer network. That number, however, only represents a small portion of those affected by the worm.

Has the number of Conficker infections been overhyped? Not necessarily.

New research by Kaspersky Lab has put the aforementioned question back in the spotlight. While the Conficker worm generated an intense amount of public interest, the number of computers infected with the newest variant of the worm seems to be relatively small.

Kaspersky Lab's analysis revealed just over 200,000 unique IP addresses were participating in Conficker's peer-to-peer network (P2P).

"While analysing Kido [Conficker] network behaviour we've been able to develop an application that helped us to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week," blogged Georg Wicherski, a virus analyst at the security company. "Over a 24 hour observation period, we've been able to identify 200,652 unique IPs participating in the network, far less then initial estimated Kido infection counts."

Further reading

However, Kaspersky Lab Senior Antivirus Researcher Roel Schouwenberg noted this is just the number of computers the company detected participating in the P2P network. The total number of infected machines is still in the millions, Schouwenberg told eWEEK.

At various points, vendors have put the number as high as 9 million, but efforts by the security community such as The Conficker Working Group seem to have paid off. However, the group still puts the current number of unique IPs infected with variants A, B and C at roughly 3.6 million.

Only a fraction of the nodes infected with earlier variants appear to have been updated, according to Wicherski's blog post. Kaspersky's analysis also found that the highest concentration of infected machines is in Brazil, China and the eastern part of the United States, which is reminiscent of similar findings from IBM's X-Force earlier this month.

The latest iteration of the worm has been tied to a scheme to trick users into downloading rogue anti-virus. There are a number of tools available to help victims remove and detect the malware, as well as a patch for the Microsoft vulnerability targeted by multiple versions of the worm.