In the April 1 entry, Bkis announced that there are now only 1.3 million Conficker.C infected machines worldwide. This number was recorded by our malware trap – Bkis Honeypot System. How could such an exact number be figured out? Let’s have a look at the working principle of the system:
In order to build this system, we bought 6 out of 50,000 domain names that the worm would query on April 1. Six respective servers were then set up to point these domain names to those servers. Consequently, starting from April 1, when Conficker infected computers began “calling home” to 50,000 domain names, they would also make queries to our servers.
We developed a special software on the servers of Honeypot System to log every worm’s query. These logs would then be analyzed by our another software for final statistics.
As we all know, on April 1, each Conficker infected machine would call home to the 50,000 generated domain names including the six domain names pointed to our servers. Thus, we were able to record the number of infected computers querying our servers.
One question to be considered: whether the number of queries to Bkis Honeypot System is equivalent to the number of Conficker infected computers worldwide or not?
On April 1, each Conficker infected machine is programmed to query only 500 out of 50,000 domain names. In other words, only 1 percent of all the domain names (500 in 50,000) would receive the requests from that computer.
Consequently, the number of queries to Bkis Honeypot only accounts for 1 percent of all the queries made by infected computers in the world. On April 1, Bkis Honeypot recorded 13,841 queries from infected computers worldwide, which means the total number of Conficker infected computers globally must be 1,384,100 (equals 13,841 x 100). And this is a precise number.
Details of Bkis Honeypot diagrams:
(1): Infected computers worldwide calling home to 50,000 domain names on the Internet
(2): Bkis Honeypot Sensor – Six server system was set up to trap “calling home” worms
(3): Worm’s query logs
(4): Bkis Honeypot Analyzer – Logs analyzing system for statistics
(5): The precise number of Conficker infected computers worldwide and the respective rate of each country