• Date: January 26, 2006
  • Author: Joe Stewart

Analysis

As reported in the previous analysis, BlackWorm contacts a web stats counter to report infections. Working with the ISP hosting the counter along with the TISF BlackWorm task force, we have obtained and analyzed the logs from the counter.

Update: February 6, 2006

The folks at CAIDA have done a terrific job of applying statistical theory to the raw log hits - if you're looking for in-depth statistical analysis, you should check out their writeup.

An attempt was made by an unknown party to artificially inflate the counter using a set of 279 distributed (presumably compromised) computers. However, it is easy to differentiate these requests from the actual infected systems. As of the time these statistics were taken, the counter is well above 5 million, however, the actual count of infected users is closer to 300,000 worldwide and not increasing at too great a rate.

The graph above shows the total hits from all sources on the counter. Notice the sharp increase on Jan 25 at 8:00AM, as the coordinated attack on the counter begins.

The graph above shows the total infections, after removing the attacking IPs and other hits which do not conform to the signature of the worm's requests. Duplicate IP addresses with the same user-agent have been removed as well, giving us as near to an actual infection count as possible, given the use of proxy/cache servers.

The pie chart above shows the total infections by country for all countries with greater than 2000 infected IP addresses. The high infection rates in India, Peru and Italy are interesting to note. It is possible some of these figures are skewed by ARIN IP address reassignment, but we do believe India is the hardest-hit country by far in terms of overall infection rate.

Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning.

Frequently Asked Questions

Q: What did you use to match IP addresses to countries?
A: The IP::Country and Geography::Countries Perl modules.

Q: Isn't it impossible to get an exact count, due to proxy/cache servers and NAT?
A: Yes, this is a well-known problem with taking web statistics. We've tried to eliminate this skew as much as possible by checking the user-agent string as well as the IP, but even that is not perfect. One thing to consider is that users on dialup lines will skew the count in the other direction, showing up as multiple IPs for one infection, so you're never going to have a 100% accurate count.

Q: Can you share the complete counts for all infected countries?
A: Sure:

8 Afghanistan
21 Albania
106 Algeria
6 Andorra
2 Angola
1 Antigua and Barbuda
1595 Argentina
5 Armenia
960 Australia
503 Austria
19 Azerbaijan
9 Bahamas
105 Bahrain
121 Bangladesh
1 Barbados
24 Belarus
305 Belgium
4 Belize
5 Benin
2 Bermuda
4 Bhutan
158 Bolivia
40 Bosnia and Herzegovina
1367 Brazil
96 Brunei Darussalam
102 Bulgaria
12 Burkina Faso
13 Cambodia
14 Cameroon
1194 Canada
5 Chad
734 Chile
2544 China
515 Colombia
1 Comoros
250 Costa Rica
123 Croatia
17 Cuba
146 Cyprus
260 Czech Republic
27 C?te d'Ivoire
104 Denmark
3 Djibouti
38 Dominican Republic
110 Ecuador
7615 Egypt
68 El Salvador
1 Equatorial Guinea
1 Eritrea
17 Estonia
5 Ethiopia
8 Fiji
66 Finland
1248 France
1 French Polynesia
3 Gabon
31 Georgia
1768 Germany
15 Ghana
6 Gibraltar
4716 Greece
7 Guam
57 Guatemala
6 Haiti
706 Hong Kong Special Administrative Region of China
56 Hungary
2 Iceland
79610 India
3873 Indonesia
656 Iran (Islamic Republic of)
15 Iraq
236 Ireland
747 Israel
22710 Italy
1 Jamaica
327 Japan
909 Jordan
27 Kazakhstan
97 Kenya
1294 Kuwait
5 Kyrgyzstan
39 Lao People's Democratic Republic
67 Latvia
158 Lebanon
56 Libyan Arab Jamahiriya
1 Liechtenstein
109 Lithuania
33 Luxembourg
9 Macau
8 Madagascar
3 Malawi
7176 Malaysia
17 Maldives
2 Mali
56 Malta
2 Mauritania
52 Mauritius
2962 Mexico
26 Monaco
1 Mongolia
112 Morocco
3 Mozambique
16 Nepal
410 Netherlands
9 Netherlands Antilles
148 New Zealand
30 Nicaragua
3 Niger
110 Nigeria
1 Northern Mariana Islands
136 Norway
441 Oman
695 Pakistan
1 Palau
53 Panama
13 Papua New Guinea
13 Paraguay
54878 Peru
2463 Philippines
701 Poland
420 Portugal
5 Puerto Rico
232 Qatar
354 Republic of Korea
4 Republic of Moldova
314 Romania
312 Russian Federation
10 San Marino
5 Sao Tome and Principe
252 Saudi Arabia
28 Senegal
1392 Singapore
27 Slovakia
33 Slovenia
1 Solomon Islands
472 South Africa
1384 Spain
1750 Sri Lanka
116 Sudan
1 Swaziland
331 Sweden
429 Switzerland
49 Syrian Arab Republic
487 Taiwan
1658 Thailand
64 The former Yugoslav Republic of Macedonia
6 Togo
50 Trinidad and Tobago
102 Tunisia
15516 Turkey
22 Uganda
78 Ukraine
1391 United Arab Emirates
1960 United Kingdom
37 United Republic of Tanzania
15270 United States
1 United States Virgin Islands
2837 Unknown
92 Uruguay
14 Uzbekistan
519 Venezuela
353 Viet Nam
197 Yemen
60 Yugoslavia
9 Zambia
3 Zimbabwe


Q: Those stats look a little off. How can Turkey, with a much smaller Internet-connected population have more infections than the United States?
A: Indeed - it does appear strange - however, viruses don't always spread uniformly. There are many factors at play which are hard to quantify, such as the initial seeding, social-engineering, AV deployment, and random chance. And, as with all statistics, take with a grain of salt.

Q: Peru? Are you sure?
A: Yes, we have resolved the hostnames and they belong primarily to a single Peruvian ISP. We can only speculate that someone with a large list of customers at that ISP became infected and most of the users received the attachment.

Q: How can I keep current on this threat until February 3?
A: Sites with frequent updates on BlackWorm are http://isc.sans.org/blackworm/and http://blogs.securiteam.org/

Update - January 31, 2006

We decided to take a different approach to de-duplicating the IP addresses in the logs. Instead of only counting unique IP/User-Agent pairs, this time we make an educated guess as to what constitues a single user rebooting multiple times, and what constitutes a company or organization utilizing one or several NAT devices. In this case we unscientifically picked a number, ten. IP addresses with fewer than this number of hits are considered to fall into the individual user/multiple reboots category. IP addresses with more than this number of hits are considered one infection per hit. Still plenty of room for error, but we get some interesting results:

In the chart above, we have an additional day's worth of logs, and we have combined all countries with fewer than around 4000 hits together in the "Other" grouping.

We can see that the United States now tops India in the total number of infections, as one might expect. Surprisingly though, the bulk (75,435) of these hits are from two NAT devices at a single US company. Based on the more recent logs plus the different methodology, we believe the total number of users infected worldwide is actually closer to 600,000.