BlackWorm Statistics

• Date: January 26, 2006
• Author: Joe Stewart

Analysis

As reported in the previous analysis, BlackWorm contacts a web stats counter to report infections. Working with the ISP hosting the counter along with the TISF BlackWorm task force, we have obtained and analyzed the logs from the counter.

Update: February 6, 2006

The folks at CAIDA have done a terrific job of applying statistical theory to the raw log hits - if you're looking for in-depth statistical analysis, you should check out their writeup.

An attempt was made by an unknown party to artificially inflate the counter using a set of 279 distributed (presumably compromised) computers. However, it is easy to differentiate these requests from the actual infected systems. As of the time these statistics were taken, the counter is well above 5 million, however, the actual count of infected users is closer to 300,000 worldwide and not increasing at too great a rate.

The graph above shows the total hits from all sources on the counter. Notice the sharp increase on Jan 25 at 8:00AM, as the coordinated attack on the counter begins.

The graph above shows the total infections, after removing the attacking IPs and other hits which do not conform to the signature of the worm's requests. Duplicate IP addresses with the same user-agent have been removed as well, giving us as near to an actual infection count as possible, given the use of proxy/cache servers.

The pie chart above shows the total infections by country for all countries with greater than 2000 infected IP addresses. The high infection rates in India, Peru and Italy are interesting to note. It is possible some of these figures are skewed by ARIN IP address reassignment, but we do believe India is the hardest-hit country by far in terms of overall infection rate.

Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning.

Frequently Asked Questions

Q: What did you use to match IP addresses to countries?
A: The IP::Country and Geography::Countries Perl modules.

Q: Isn't it impossible to get an exact count, due to proxy/cache servers and NAT?
A: Yes, this is a well-known problem with taking web statistics. We've tried to eliminate this skew as much as possible by checking the user-agent string as well as the IP, but even that is not perfect. One thing to consider is that users on dialup lines will skew the count in the other direction, showing up as multiple IPs for one infection, so you're never going to have a 100% accurate count.

Q: Can you share the complete counts for all infected countries?
A: Sure:

8 Afghanistan 21 Albania 106 Algeria 6 Andorra 2 Angola 1 Antigua and Barbuda 1595 Argentina 5 Armenia 960 Australia 503 Austria 19 Azerbaijan 9 Bahamas 105 Bahrain 121 Bangladesh 1 Barbados 24 Belarus 305 Belgium 4 Belize 5 Benin 2 Bermuda 4 Bhutan 158 Bolivia 40 Bosnia and Herzegovina 1367 Brazil 96 Brunei Darussalam 102 Bulgaria 12 Burkina Faso 13 Cambodia 14 Cameroon 1194 Canada 5 Chad 734 Chile 2544 China 515 Colombia 1 Comoros 250 Costa Rica 123 Croatia 17 Cuba 146 Cyprus 260 Czech Republic 27 C?te d'Ivoire 104 Denmark 3 Djibouti 38 Dominican Republic 110 Ecuador 7615 Egypt 68 El Salvador 1 Equatorial Guinea 1 Eritrea 17 Estonia 5 Ethiopia 8 Fiji 66 Finland 1248 France 1 French Polynesia 3 Gabon 31 Georgia 1768 Germany 15 Ghana 6 Gibraltar 4716 Greece 7 Guam 57 Guatemala 6 Haiti 706 Hong Kong Special Administrative Region of China 56 Hungary 2 Iceland 79610 India 3873 Indonesia 656 Iran (Islamic Republic of) 15 Iraq 236 Ireland 747 Israel 22710 Italy 1 Jamaica 327 Japan 909 Jordan 27 Kazakhstan 97 Kenya 1294 Kuwait 5 Kyrgyzstan 39 Lao People's Democratic Republic 67 Latvia

158 Lebanon 56 Libyan Arab Jamahiriya 1 Liechtenstein 109 Lithuania 33 Luxembourg 9 Macau 8 Madagascar 3 Malawi 7176 Malaysia 17 Maldives 2 Mali 56 Malta 2 Mauritania 52 Mauritius 2962 Mexico 26 Monaco 1 Mongolia 112 Morocco 3 Mozambique 16 Nepal 410 Netherlands 9 Netherlands Antilles 148 New Zealand 30 Nicaragua 3 Niger 110 Nigeria 1 Northern Mariana Islands 136 Norway 441 Oman 695 Pakistan 1 Palau 53 Panama 13 Papua New Guinea 13 Paraguay 54878 Peru 2463 Philippines 701 Poland 420 Portugal 5 Puerto Rico 232 Qatar 354 Republic of Korea 4 Republic of Moldova 314 Romania 312 Russian Federation 10 San Marino 5 Sao Tome and Principe 252 Saudi Arabia 28 Senegal 1392 Singapore 27 Slovakia 33 Slovenia 1 Solomon Islands 472 South Africa 1384 Spain 1750 Sri Lanka 116 Sudan 1 Swaziland 331 Sweden 429 Switzerland 49 Syrian Arab Republic 487 Taiwan 1658 Thailand 64 The former Yugoslav Republic of Macedonia 6 Togo 50 Trinidad and Tobago 102 Tunisia 15516 Turkey 22 Uganda 78 Ukraine 1391 United Arab Emirates 1960 United Kingdom 37 United Republic of Tanzania 15270 United States 1 United States Virgin Islands 2837 Unknown 92 Uruguay 14 Uzbekistan 519 Venezuela 353 Viet Nam 197 Yemen 60 Yugoslavia 9 Zambia 3 Zimbabwe

Q: Those stats look a little off. How can Turkey, with a much smaller Internet-connected population have more infections than the United States?
A: Indeed - it does appear strange - however, viruses don't always spread uniformly. There are many factors at play which are hard to quantify, such as the initial seeding, social-engineering, AV deployment, and random chance. And, as with all statistics, take with a grain of salt.

Q: Peru? Are you sure?
A: Yes, we have resolved the hostnames and they belong primarily to a single Peruvian ISP. We can only speculate that someone with a large list of customers at that ISP became infected and most of the users received the attachment.

Q: How can I keep current on this threat until February 3?
A: Sites with frequent updates on BlackWorm are http://isc.sans.org/blackworm/and http://blogs.securiteam.org/

Update - January 31, 2006

We decided to take a different approach to de-duplicating the IP addresses in the logs. Instead of only counting unique IP/User-Agent pairs, this time we make an educated guess as to what constitues a single user rebooting multiple times, and what constitutes a company or organization utilizing one or several NAT devices. In this case we unscientifically picked a number, ten. IP addresses with fewer than this number of hits are considered to fall into the individual user/multiple reboots category. IP addresses with more than this number of hits are considered one infection per hit. Still plenty of room for error, but we get some interesting results:

In the chart above, we have an additional day's worth of logs, and we have combined all countries with fewer than around 4000 hits together in the "Other" grouping.

We can see that the United States now tops India in the total number of infections, as one might expect. Surprisingly though, the bulk (75,435) of these hits are from two NAT devices at a single US company. Based on the more recent logs plus the different methodology, we believe the total number of users infected worldwide is actually closer to 600,000.