BlackWorm Statistics & Details

Date: January 26, 2006
Author: Joe Stewart

Analysis

As reported in the previous analysis, BlackWorm contacts a web stats counter to report infections. Working with the ISP hosting the counter along with the TISF BlackWorm task force, we have obtained and analyzed the logs from the counter.

Update: February 6, 2006

The folks at CAIDA have done a terrific job of applying statistical theory to the raw log hits - if you're looking for in-depth statistical analysis, you should check out their writeup.

An attempt was made by an unknown party to artificially inflate the counter using a set of 279 distributed (presumably compromised) computers. However, it is easy to differentiate these requests from the actual infected systems. As of the time these statistics were taken, the counter is well above 5 million, however, the actual count of infected users is closer to 300,000 worldwide and not increasing at too great a rate.

The graph above shows the total hits from all sources on the counter. Notice the sharp increase on Jan 25 at 8:00AM, as the coordinated attack on the counter begins.

The graph above shows the total infections, after removing the attacking IPs and other hits which do not conform to the signature of the worm's requests. Duplicate IP addresses with the same user-agent have been removed as well, giving us as near to an actual infection count as possible, given the use of proxy/cache servers.

The pie chart above shows the total infections by country for all countries with greater than 2000 infected IP addresses. The high infection rates in India, Peru and Italy are interesting to note. It is possible some of these figures are skewed by ARIN IP address reassignment, but we do believe India is the hardest-hit country by far in terms of overall infection rate.

Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning.

Frequently Asked Questions

Q: What did you use to match IP addresses to countries?
A: The IP::Country and Geography::Countries Perl modules.

Q: Isn't it impossible to get an exact count, due to proxy/cache servers and NAT?
A: Yes, this is a well-known problem with taking web statistics. We've tried to eliminate this skew as much as possible by checking the user-agent string as well as the IP, but even that is not perfect. One thing to consider is that users on dialup lines will skew the count in the other direction, showing up as multiple IPs for one infection, so you're never going to have a 100% accurate count.

Q: Can you share the complete counts for all infected countries?
A: Sure:

8	Afghanistan
21	Albania
106	Algeria
6	Andorra
2	Angola
1	Antigua and Barbuda
1595	Argentina
5	Armenia
960	Australia
503	Austria
19	Azerbaijan
9	Bahamas
105	Bahrain
121	Bangladesh
1	Barbados
24	Belarus
305	Belgium
4	Belize
5	Benin
2	Bermuda
4	Bhutan
158	Bolivia
40	Bosnia and Herzegovina
1367	Brazil
96	Brunei Darussalam
102	Bulgaria
12	Burkina Faso
13	Cambodia
14	Cameroon
1194	Canada
5	Chad
734	Chile
2544	China
515	Colombia
1	Comoros
250	Costa Rica
123	Croatia
17	Cuba
146	Cyprus
260	Czech Republic
27	C?te d'Ivoire
104	Denmark
3	Djibouti
38	Dominican Republic
110	Ecuador
7615	Egypt
68	El Salvador
1	Equatorial Guinea
1	Eritrea
17	Estonia
5	Ethiopia
8	Fiji
66	Finland
1248	France
1	French Polynesia
3	Gabon
31	Georgia
1768	Germany
15	Ghana
6	Gibraltar
4716	Greece
7	Guam
57	Guatemala
6	Haiti
706	Hong Kong Special Administrative Region of China
56	Hungary
2	Iceland
79610	India
3873	Indonesia
656	Iran (Islamic Republic of)
15	Iraq
236	Ireland
747	Israel
22710	Italy
1	Jamaica
327	Japan
909	Jordan
27	Kazakhstan
97	Kenya
1294	Kuwait
5	Kyrgyzstan
39	Lao People's Democratic Republic
67	Latvia

158	Lebanon
56	Libyan Arab Jamahiriya
1	Liechtenstein
109	Lithuania
33	Luxembourg
9	Macau
8	Madagascar
3	Malawi
7176	Malaysia
17	Maldives
2	Mali
56	Malta
2	Mauritania
52	Mauritius
2962	Mexico
26	Monaco
1	Mongolia
112	Morocco
3	Mozambique
16	Nepal
410	Netherlands
9	Netherlands Antilles
148	New Zealand
30	Nicaragua
3	Niger
110	Nigeria
1	Northern Mariana Islands
136	Norway
441	Oman
695	Pakistan
1	Palau
53	Panama
13	Papua New Guinea
13	Paraguay
54878	Peru
2463	Philippines
701	Poland
420	Portugal
5	Puerto Rico
232	Qatar
354	Republic of Korea
4	Republic of Moldova
314	Romania
312	Russian Federation
10	San Marino
5	Sao Tome and Principe
252	Saudi Arabia
28	Senegal
1392	Singapore
27	Slovakia
33	Slovenia
1	Solomon Islands
472	South Africa
1384	Spain
1750	Sri Lanka
116	Sudan
1	Swaziland
331	Sweden
429	Switzerland
49	Syrian Arab Republic
487	Taiwan
1658	Thailand
64	The former Yugoslav Republic of Macedonia
6	Togo
50	Trinidad and Tobago
102	Tunisia
15516	Turkey
22	Uganda
78	Ukraine
1391	United Arab Emirates
1960	United Kingdom
37	United Republic of Tanzania
15270	United States
1	United States Virgin Islands
2837	Unknown
92	Uruguay
14	Uzbekistan
519	Venezuela
353	Viet Nam
197	Yemen
60	Yugoslavia
9	Zambia
3	Zimbabwe

Q: Those stats look a little off. How can Turkey, with a much smaller Internet-connected population have more infections than the United States?
A: Indeed - it does appear strange - however, viruses don't always spread uniformly. There are many factors at play which are hard to quantify, such as the initial seeding, social-engineering, AV deployment, and random chance. And, as with all statistics, take with a grain of salt.

Q: Peru? Are you sure?
A: Yes, we have resolved the hostnames and they belong primarily to a single Peruvian ISP. We can only speculate that someone with a large list of customers at that ISP became infected and most of the users received the attachment.

Q: How can I keep current on this threat until February 3?
A: Sites with frequent updates on BlackWorm are http://isc.sans.org/blackworm/and http://blogs.securiteam.org/

Update - January 31, 2006

We decided to take a different approach to de-duplicating the IP addresses in the logs. Instead of only counting unique IP/User-Agent pairs, this time we make an educated guess as to what constitues a single user rebooting multiple times, and what constitutes a company or organization utilizing one or several NAT devices. In this case we unscientifically picked a number, ten. IP addresses with fewer than this number of hits are considered to fall into the individual user/multiple reboots category. IP addresses with more than this number of hits are considered one infection per hit. Still plenty of room for error, but we get some interesting results:

In the chart above, we have an additional day's worth of logs, and we have combined all countries with fewer than around 4000 hits together in the "Other" grouping.

We can see that the United States now tops India in the total number of infections, as one might expect. Surprisingly though, the bulk (75,435) of these hits are from two NAT devices at a single US company. Based on the more recent logs plus the different methodology, we believe the total number of users infected worldwide is actually closer to 600,000.