Research on Conficker infections, from non-profit botnet tracking consortium the ShadowServer Foundation, found that while Conficker infections were relatively minimal on US networks, the countries listed had high concentrations of infections. The Foundation monitored autonomous systems (ASs), which are IP prefixes owned by one or more organizations that present a single, consistent routing policy to the internet.
The ASs, represented by autonomous system numbers (ASNs), showed high levels of infection with the Conficker A, B, and C variants over the course of the year. In India, 13.73% of ICLNet-AS's IP unique addresses suffered from unique A, B or C Conficker infections. Another AS, Alliance-Gateway-AS, had a 15.07% hit rate. Wishet-AS suffered from 14.74%.
Russia's ASNs frequently came in at the 4-5% mark. Particularly high scorers were SAN, with 8.18% of unique IP addresses suffering from Conficker infections. Mordovia had 9.97%, and Maginfo, another AS, had 10.62%.
Thailand's CAT-AS had 8.5%, while Vietnam's VNPT-AS had 9.93% of its unique IP addresses infected with the worm. The Ukraine's Telesweet had 13.03% of its IPs compromised with the malware.
China's Chinanet took pole position in sheer numbers, with 915 643 unique IPs infected by the Conficker worm. However, its routing space is huge, with 92.5 million separate addresses in that single AS.
Conficker's spread throughout the year has been steadily increasing, according to aggregate data gathered by the Foundation. However, the worm still hasn't delivered a clear payload. For the most part, its main activity to date seems to be simply replicating itself across different systems. The Conficker Working Group, of which the ShadowServer Foundation is a founding member, is still waiting for the other shoe to drop.
"At the end of the day, we can’t speculate on the intentions of criminals, but what we can do is work to limit the impact of any second phase", said a statement on the Working Group's website.