[Dshield] CME-24

Joe Stewart jstewart at lurhq.com
Thu Feb 2 15:52:53 GMT 2006

On Thursday 02 February 2006 10:00 am, Paul Marsh wrote:
> The numbers seam to be a little twisted.
> Thanx, Paul
> 	http://www.lurhq.com/blackworm-stats.html
> 	http://www.f-secure.com/weblog/#00000800
> 	http://www.trendmicro.com/map/

You really can't compare these three graphs - Trend is looking only at 
infections detected by customers using their product. F-Secure is only 
mapping IPs to lat/long coordinates, but the map says nothing about 
overall numbers infected, as some countries may have most of their 
Internet access centered around major population hubs, while others are 
more spread out. The LURHQ chart is taking an estimate of infections 
per country based on the hit counter, but correlating "hits from an IP 
address" to actual infection counts is not an exact science. This is a 
known problem with web stats in general.

So, don't worry about the numbers too much - it's liable to be off a by 
a couple hundred thousand any way you slice it. The bottom line is, 
some people are going to feel some pain from this tomorrow, but it 
isn't likely to be a problem for most. If you're worried, send me the 
netblocks you are responsible for and I'll tell you if there are any 
hits to the counter originating from it.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the list mailing list