In the shoes of Conficker

Following in the footsteps of Conficker, the Waledac worm has been spreading throughout the world, infecting piles of computers in its wake.  I found another site that listed some of the URLs associated with the Waledac malware.  I checked some of our spam statistics and decided to check to see the geographical IP origin of these infected systems:


As you can see, the United States, China and Korea account for over half of the number of distinct IPs in the Waledac botnet.  The numbers after that start to shrink dramatically.  But for all of these distinct IPs, how much spam do they actually send?  That’s in the table below (actual spam count removed, normalized with a percentage).


There is no change in the ordering of the top 3 countries, but Taiwan jumps from 8th to 3rd, Brazil drops from 3rd to 6th, and Canada jumps from 17th to 8th.  Of course, there are other changes but these ones jump out at me.

Also note that while the US accounts for 23% of spamming IPs, it accounts for 30% of the spam.  The numbers tend to be disproportional, for the most part.