BlackWorm: infection rates stay the same

after investigation with the isp (rcn) and various people from the tisf blackworm task force (special thanks to joe stewart, randy vaughn, johannes ullrich and all the sans isc handlers) it appears that someone (probably the worm author) was trying to be funny and ddos the counter.

looking only at unique ip addresses and removing the ones from the ddos, we end up with only about 300k users whose world is going to crumble on february 3rd.

gadi evron,

  • Technocrat

    nice work sunshine.

  • dbrown

    Could the multiple hits from single IP addresses not be the result of clients infected behind a NAT device?

  • saint

    I would think it is the otherway around, that is to say, if multiple infected machines would be behind NAT they would register as one since they would all seem to have the same ip address.

  • Nicholas Hawley

    I have come to the same conclusion as the other two. Eliminating dups means that only gateways are being counted. So if my entire network of 1000 nodes were infected, according to this methodology, only 5 “infections” would be shown, as all but 5 are “inside” and thus are NAT’d. I have very BAD feeling about this one that the folks driving the bus are very wrong. I think the 3rd will be a very BAD day for us.

  • sunshine

    Joe answers some of these questions:

  • http://MSN.COM Jean Baer

    I was sent5 t5his email about a virus I am new to comptures so I don’t know what I am supossed to do to keep it from infecting my compture if you can help please email me.
    Thank you
    Jean Baer

  • sunshine

    Jean: You need to get an anti virus, install and update it. If you can’t do it alone ask somebody to help you, and then scan your computer.

    You can also try as a gap-stop solution to try one of the online scanning services, try to Google for “online anti virus scan”.

  • sunshine

    There is a users’ FAQ posted here: