0 Results Found
            Back To Results
              Threat Analysis

              BlackWorm Statistics

              • Date: January 26, 2006
              • Author: Joe Stewart

              Analysis

              As reported in the previous analysis, BlackWorm contacts a web stats counter to report infections. Working with the ISP hosting the counter along with the TISF BlackWorm task force, we have obtained and analyzed the logs from the counter.

              Update: February 6, 2006

              The folks at CAIDA have done a terrific job of applying statistical theory to the raw log hits - if you're looking for in-depth statistical analysis, you should check out their writeup.

              An attempt was made by an unknown party to artificially inflate the counter using a set of 279 distributed (presumably compromised) computers. However, it is easy to differentiate these requests from the actual infected systems. As of the time these statistics were taken, the counter is well above 5 million, however, the actual count of infected users is closer to 300,000 worldwide and not increasing at too great a rate.

              The graph above shows the total hits from all sources on the counter. Notice the sharp increase on Jan 25 at 8:00AM, as the coordinated attack on the counter begins.

              The graph above shows the total infections, after removing the attacking IPs and other hits which do not conform to the signature of the worm's requests. Duplicate IP addresses with the same user-agent have been removed as well, giving us as near to an actual infection count as possible, given the use of proxy/cache servers.

              The pie chart above shows the total infections by country for all countries with greater than 2000 infected IP addresses. The high infection rates in India, Peru and Italy are interesting to note. It is possible some of these figures are skewed by ARIN IP address reassignment, but we do believe India is the hardest-hit country by far in terms of overall infection rate.

              Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning.

              Frequently Asked Questions

              Q: What did you use to match IP addresses to countries?
              A: The IP::Country and Geography::Countries Perl modules.

              Q: Isn't it impossible to get an exact count, due to proxy/cache servers and NAT?
              A: Yes, this is a well-known problem with taking web statistics. We've tried to eliminate this skew as much as possible by checking the user-agent string as well as the IP, but even that is not perfect. One thing to consider is that users on dialup lines will skew the count in the other direction, showing up as multiple IPs for one infection, so you're never going to have a 100% accurate count.

              Q: Can you share the complete counts for all infected countries?
              A: Sure:

              8 Afghanistan
              21 Albania
              106 Algeria
              6 Andorra
              2 Angola
              1 Antigua and Barbuda
              1595 Argentina
              5 Armenia
              960 Australia
              503 Austria
              19 Azerbaijan
              9 Bahamas
              105 Bahrain
              121 Bangladesh
              1 Barbados
              24 Belarus
              305 Belgium
              4 Belize
              5 Benin
              2 Bermuda
              4 Bhutan
              158 Bolivia
              40 Bosnia and Herzegovina
              1367 Brazil
              96 Brunei Darussalam
              102 Bulgaria
              12 Burkina Faso
              13 Cambodia
              14 Cameroon
              1194 Canada
              5 Chad
              734 Chile
              2544 China
              515 Colombia
              1 Comoros
              250 Costa Rica
              123 Croatia
              17 Cuba
              146 Cyprus
              260 Czech Republic
              27 C?te d'Ivoire
              104 Denmark
              3 Djibouti
              38 Dominican Republic
              110 Ecuador
              7615 Egypt
              68 El Salvador
              1 Equatorial Guinea
              1 Eritrea
              17 Estonia
              5 Ethiopia
              8 Fiji
              66 Finland
              1248 France
              1 French Polynesia
              3 Gabon
              31 Georgia
              1768 Germany
              15 Ghana
              6 Gibraltar
              4716 Greece
              7 Guam
              57 Guatemala
              6 Haiti
              706 Hong Kong Special Administrative Region of China
              56 Hungary
              2 Iceland
              79610 India
              3873 Indonesia
              656 Iran (Islamic Republic of)
              15 Iraq
              236 Ireland
              747 Israel
              22710 Italy
              1 Jamaica
              327 Japan
              909 Jordan
              27 Kazakhstan
              97 Kenya
              1294 Kuwait
              5 Kyrgyzstan
              39 Lao People's Democratic Republic
              67 Latvia
              158 Lebanon
              56 Libyan Arab Jamahiriya
              1 Liechtenstein
              109 Lithuania
              33 Luxembourg
              9 Macau
              8 Madagascar
              3 Malawi
              7176 Malaysia
              17 Maldives
              2 Mali
              56 Malta
              2 Mauritania
              52 Mauritius
              2962 Mexico
              26 Monaco
              1 Mongolia
              112 Morocco
              3 Mozambique
              16 Nepal
              410 Netherlands
              9 Netherlands Antilles
              148 New Zealand
              30 Nicaragua
              3 Niger
              110 Nigeria
              1 Northern Mariana Islands
              136 Norway
              441 Oman
              695 Pakistan
              1 Palau
              53 Panama
              13 Papua New Guinea
              13 Paraguay
              54878 Peru
              2463 Philippines
              701 Poland
              420 Portugal
              5 Puerto Rico
              232 Qatar
              354 Republic of Korea
              4 Republic of Moldova
              314 Romania
              312 Russian Federation
              10 San Marino
              5 Sao Tome and Principe
              252 Saudi Arabia
              28 Senegal
              1392 Singapore
              27 Slovakia
              33 Slovenia
              1 Solomon Islands
              472 South Africa
              1384 Spain
              1750 Sri Lanka
              116 Sudan
              1 Swaziland
              331 Sweden
              429 Switzerland
              49 Syrian Arab Republic
              487 Taiwan
              1658 Thailand
              64 The former Yugoslav Republic of Macedonia
              6 Togo
              50 Trinidad and Tobago
              102 Tunisia
              15516 Turkey
              22 Uganda
              78 Ukraine
              1391 United Arab Emirates
              1960 United Kingdom
              37 United Republic of Tanzania
              15270 United States
              1 United States Virgin Islands
              2837 Unknown
              92 Uruguay
              14 Uzbekistan
              519 Venezuela
              353 Viet Nam
              197 Yemen
              60 Yugoslavia
              9 Zambia
              3 Zimbabwe


              Q: Those stats look a little off. How can Turkey, with a much smaller Internet-connected population have more infections than the United States?
              A: Indeed - it does appear strange - however, viruses don't always spread uniformly. There are many factors at play which are hard to quantify, such as the initial seeding, social-engineering, AV deployment, and random chance. And, as with all statistics, take with a grain of salt.

              Q: Peru? Are you sure?
              A: Yes, we have resolved the hostnames and they belong primarily to a single Peruvian ISP. We can only speculate that someone with a large list of customers at that ISP became infected and most of the users received the attachment.

              Q: How can I keep current on this threat until February 3?
              A: Sites with frequent updates on BlackWorm are http://isc.sans.org/blackworm/and http://blogs.securiteam.org/

              Update - January 31, 2006

              We decided to take a different approach to de-duplicating the IP addresses in the logs. Instead of only counting unique IP/User-Agent pairs, this time we make an educated guess as to what constitues a single user rebooting multiple times, and what constitutes a company or organization utilizing one or several NAT devices. In this case we unscientifically picked a number, ten. IP addresses with fewer than this number of hits are considered to fall into the individual user/multiple reboots category. IP addresses with more than this number of hits are considered one infection per hit. Still plenty of room for error, but we get some interesting results:

              In the chart above, we have an additional day's worth of logs, and we have combined all countries with fewer than around 4000 hits together in the "Other" grouping.

              We can see that the United States now tops India in the total number of infections, as one might expect. Surprisingly though, the bulk (75,435) of these hits are from two NAT devices at a single US company. Based on the more recent logs plus the different methodology, we believe the total number of users infected worldwide is actually closer to 600,000.

              Related Content