Conficker group says worm 4.6 million strong

The total number of infected PCs could be higher, however, as new variants on the worm make it harder to track

Security experts say that the Conficker worm has infected an awful lot of computers, making it the largest "botnet" of hacked computers on the planet. The thing they can't seem to agree on, however, is exactly how many people have been hit.

The group of researchers that has been most closely tracking -- and battling -- the worm has now released its own estimate of Conficker's size. According to data compiled by the Conficker Working Group, Conficker has been spotted on just under 4.6 million unique IP addresses. Its earlier A and B variants account for the lion's share of that -- 3.4 million IP addresses -- with the more-recent C variant spotted at 1.2 million addresses.

[ In his Security Adviser blog, Roger A. Grimes discussed how the Conficker worm upped the ante for security. | Back in February, Microsoft put out a $250,000 bounty on Conficker. ]

The countries measuring the largest number of infections for all variants are China, Brazil, and Russia.

Conficker has been infecting Windows machines since October, but in recent weeks, it has been getting a lot of attention as a newer version of the worm, Conficker.C, has updated the way it looks for instructions, making it much harder to stop.

Over the past weekend, Conficker infected nearly 800 PCs at the University of Utah's Health Sciences Center. IT staff there think it might have gotten on the network via an infected thumb drive. Once installed on one PC, Conficker is very effective at seeking out other unpatched Windows machines to spread.

Users who wonder if they're infected by the worm can try out this simple test developed by SecureWorks.

Studies done two weeks ago by OpenDNS and IBM's Internet Security Systems group had suggested that as many as 4 percent of PCs might have been hit with the Conficker worm, but the Working Group's analysis suggests the number is likely much lower.

"We're hoping that publishing these numbers will throw a little bit of reality into the equation," said Andre DiMino, co-founder of The Shadowserver Foundation and a member of the Working Group. He does not believe that 4 percent of PCs were infected. "It's hard to make a case for that right now," he said.

But the actual number of infections could be higher or lower than 4.6 million, DiMino admitted. Because the Working Group's method counts IP addresses, they may have overcounted consumers who log on from multiple IP addresses, or undercounted corporate infections, which are often hidden behind a single IP address.

OpenDNS, IBM, and the Working Group all used different techniques to arrive at their estimates, but they all rely on the fact that infected machines need to check in with a "command and control" server for instructions. The Working Group got its data by setting up "sinkhole" servers at points on the Internet used by infected machines to download instructions. They did this by taking over the Internet domains that Conficker is programmed to visit to search for those instructions.

The number of infections measured by the Working Group is in line with its estimates of earlier variants of the worm, DiMino said. "Not all of the As and Bs have been turned into Cs," he said.

To complicate matters further, a new variant of Conficker was spotted last week, and this one communicates primarily using peer-to-peer techniques, which are not easily measured by the Working Group's sinkhole servers. This means the group will probably need to develop a new way of counting infections as the peer-to-peer variant spreads, DiMino said.

Even though the Working Group's data is, at first glance, quite different from IBM's, its results are not a surprise, according to Holly Stewart, a threat response manager with IBM's Internet Security Systems. It's "really hard" to get a fix on the size of the botnet, she said. "I don't think anyone has a perfect answer," she said. "They have one data point and we have another data point."

"If you ask me what the true number is," she added, "we don't know."