An analysis of the Conficker peer-to-peer network set up by the latest variant of the worm shows that the size of the network is far smaller than originally thought. Estimates of the size of the botnet have run far into the millions, but analysts at Kaspersky Lab have been observing the network and found that includes about 200,000 machines.
The analysts at Kaspersky (Threatpost’s corporate sponsor) observed the network for a 24-hour period this week and discovered 200,652 unique IP addresses on the P2P network, which comprises machines that are infected with the latest variant of Conficker.
“This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants,” Georg Wicherski, a virus analyst, wrote in a blog post on the worm.
The analysts wrote a custom application to monitor the Conficker network and found that the infected machines are highly concentrated in both the eastern half of the U.S. and in Europe. The P2P network is being used by the worm’s creators to distribute updates to infected machines.
The Kaspersky analysis also showed that there are a number of infected machines that are not connected to any other infected PCs in the network.
