Russia, U.S., and Ukraine are home to highest numbers of Conficker-infected IP addresses

Dark Reading Staff, Dark Reading

December 17, 2009

2 Min Read

While the sleeping giant known as Conficker has amassed a botnet of more than 6.5 million infected machines from all around the world but hasn't actually done anything with all of that firepower yet, a look at the distribution of infected bots shows all network providers are at risk, according to the nonprofit botnet research organization ShadowServer.

"Because [Conficker] hasn't exhibited any malicious activity yet, there tends to be some apathy toward it," says Andre DiMino, director of Shadowserver, which today released some of the data it has been gathering on the location of machines infected by Conficker worldwide.

Shadowserver's data lists the top 500 ASNs, or IP routing groups under a network operator, by country and also breaks down the number of infected IP addresses by their network providers. Russia has the most infected ASNs with 1,075, followed by the U.S. with 604, and the Ukraine with 419. The organization also included a chart showing what percentage of each ASN's routed space is affected by Conficker.

"All the values that are displayed here represent unique IP addresses that connected to sinkhole servers. Most of these IP addresses connected many times each day," Shadowserver said in its report. "A single unique IP address may not represent a single infection. It could represent 100, or 1/100, and anything in-between, or even higher or lower of the listed values. The purpose in giving any numbers is to have a starting point in treating all the values in an equal manner. We know it is not the best indicator, but it is one that we feel is a more fair representation."

In the U.S., AT&T Internet Services has the highest number of unique Conficker A and B variant IP addresses, with 9,783, followed by with 9,463, and Verizon Internet Services with 6,701.

Russia's Corbina Telecom, meanwhile, has 55,538 unique Conficker A and B IP addresses.

"This [report] shows that all network providers worldwide still have a lot of work to do," DiMino says.

Both Shadowserver and the Conficker Working Group have tried to notify as many providers as possible about their infected customer machines, DiMino says. But remediating Conficker from the provider side is a "huge effort," he says. "We're hoping that the detection and clean-up can occur from the bottom-up this time, with more folks testing and cleaning their own systems, rather than wait for their provider to notify them," DiMino says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights