a victim and use those peers as the basis of its attack, grammed to divide the list into n blocks, and then to find which makes such applications highly attractive targets and infect the first address in each block(or an especially for worm authors. Although we have yet to see such a chosen high-bandwidth address in that block), and then worm in the wild, these applications must be scrutinized hand the child worm the list of addresses for that block. for security. These applications are also vulnerable to That copy of the worm can then re-iterate the process to contagion worms. as discussed in Section 5 infect everything in its block. A threaded worm could begin infecting hosts before it had received the full host Similarly, a worm attacking web servers could look for list from its parent to work on, to maximize the paral URLs on disk and use these URLs as seed targets as well lelization process, and it could start work on looking for as simply scanning for random targets. Since these are multiple children in parallel known to be valid web servers, this would tend to greatly increase the initial spread by preferentially probing for This design is somewhat fragile if an early copy of the likely targets worm is neutralized very quickly, or infects a site from which it cannot scan out. To mitigate this. the worm copies could overlap in their scanning so that all ad- 4.5 Flash worms dresses were scanned a small number of times with every target address being scanned by different paths through the infection tree. This has the additional side- We further observe that there is a variant of the hit-list effect of removing the need for further parent-to-child strategy that could plausibly result in most of the vul- communication after initial infection occurs nerable servers on the Internet being infected in tens of econds. We term this a fash worm A related design would call for most of the address list to be located in pre-assigned chunks on one or a num- The nub of our observation is that an attacker could plau- ber of high-bandwidth servers that were well-known to sibly obtain a hit-list of most servers with the relevant of service open to the Internet in advance of the release of signment from its parent, and then fetch the address list from there. The server would only have to send out por tions of the list, not the entire list; in principle, it should In addition to the methods already discussed for con- only have to transmit each address in the list once. In ad- structing a hit-list in Section 4. 1, a complete scan of the dition, after the worm has propagated sufficiently that a Internet through an OC-12 connection would complete large number of copies are attempting to fetch their(now quickly. Given a rate of 750,000 TCP SYN packets per quite small) lists, at that point the worm collective could second(the OC-12 provides 622 Mbps, the TCP seg switch to sending around the address list with each new ment takes 40 bytes, and we allow for link-layer fram- infection, rather than having the infectees each contact ing), and that the return traffic is smaller in volume the server than the outbound (it is comprised of either same-sized SYN ACKs or RSTs, smaller ICMPs, or, most often, no This process will result in relatively little wasted effort response at all), it would take roughly 2 hours to scan For example, if the worm had a list of Web servers, and the entire address space. Faster links could of course a zero-day IIs vulnerability, about 26% of the list would scan even faster. Such a brute-force scan would be easily be vulnerable. No server would be probed twice. If within the resources of a nation-state bent on cyberwar 10. then the infection tree for the 3 million vult able servers would be just 7 layers deep Given that an attacker has the determination and fore The spread rate of such a worm would likely be con- sight to assemble a list of all or most Internet connected strained by one of two things. The worm itself is likely addresses with the relevant service(s)open, a worm can to be small( Code red I was about 4 KB, and a highly spread most efficiently by simply attacking addresses on malicious worm could easily be less than 100 KB, even that list. For example, there are about 12.6 million Web allowing for a complex payload). Thus, at the start,the servers on the Internet(according to Netcraft (Ne02), so address list is much larger than the worm itself, and the the size of that particular address list would be 48 MB, propagation of the worm could be limited by the time re- uncompressed. The initial copy of the worm can be pro- quired to transmit the host list out of the initial infection site or servers where it was stored. Since all the children of the infection will have much smaller lists to transmit, nachines that connect to the Internet with variable IP addresses but these nonetheless have vulnerable services open lists are less likely to limit the worm spreada victim and use those peers as the basis of its attack, which makes such applications highly attractive targets for worm authors. Although we have yet to see such a worm in the wild, these applications must be scrutinized for security. These applications are also vulnerable to contagion worms, as discussed in Section 5. Similarly, a worm attacking web servers could look for URLs on disk and use these URLs as seed targets as well as simply scanning for random targets. Since these are known to be valid web servers, this would tend to greatly increase the initial spread by preferentially probing for likely targets. 4.5 Flash Worms We further observe that there is a variant of the hit-list strategy that could plausibly result in most of the vul￾nerable servers on the Internet being infected in tens of seconds. We term this a flash worm. The nub of our observation is that an attacker could plau￾sibly obtain a hit-list of most servers with the relevant service open to the Internet in advance of the release of the worm.5 In addition to the methods already discussed for con￾structing a hit-list in Section 4.1, a complete scan of the Internet through an OC-12 connection would complete quickly. Given a rate of 750,000 TCP SYN packets per second (the OC-12 provides 622 Mbps, the TCP seg￾ment takes 40 bytes, and we allow for link-layer fram￾ing), and that the return traffic is smaller in volume than the outbound (it is comprised of either same-sized SYN ACKs or RSTs, smaller ICMPs, or, most often, no response at all), it would take roughly 2 hours to scan the entire address space. Faster links could of course scan even faster. Such a brute-force scan would be easily within the resources of a nation-state bent on cyberwar￾fare. Given that an attacker has the determination and fore￾sight to assemble a list of all or most Internet connected addresses with the relevant service(s) open, a worm can spread most efficiently by simply attacking addresses on that list. For example, there are about 12.6 million Web servers on the Internet (according to Netcraft [Ne02]), so the size of that particular address list would be 48 MB, uncompressed. The initial copy of the worm can be pro- 5Servers behind load balancers create complications here, as do machines that connect to the Internet with variable IP addresses but nonetheless have vulnerable services open. grammed to divide the list into n blocks, and then to find and infect the first address in each block (or an especially chosen high-bandwidth address in that block), and then hand the child worm the list of addresses for that block. That copy of the worm can then re-iterate the process to infect everything in its block. A threaded worm could begin infecting hosts before it had received the full host list from its parent to work on, to maximize the paral￾lelization process, and it could start work on looking for multiple children in parallel. This design is somewhat fragile if an early copy of the worm is neutralized very quickly, or infects a site from which it cannot scan out. To mitigate this, the worm copies could overlap in their scanning so that all ad￾dresses were scanned a small number of times, with every target address being scanned by different paths through the infection tree. This has the additional side￾effect of removing the need for further parent-to-child communication after initial infection occurs. A related design would call for most of the address list to be located in pre-assigned chunks on one or a num￾ber of high-bandwidth servers that were well-known to the worm. Each copy of the worm would receive an as￾signment from its parent, and then fetch the address list from there. The server would only have to send out por￾tions of the list, not the entire list; in principle, it should only have to transmit each address in the list once. In ad￾dition, after the worm has propagated sufficiently that a large number of copies are attempting to fetch their (now quite small) lists, at that point the worm collective could switch to sending around the address list with each new infection, rather than having the infectees each contact the server. This process will result in relatively little wasted effort. For example, if the worm had a list of Web servers, and a zero-day IIS vulnerability, about 26% of the list would be vulnerable. No server would be probed twice. If n = 10, then the infection tree for the 3 million vulner￾able servers would be just 7 layers deep. The spread rate of such a worm would likely be con￾strained by one of two things. The worm itself is likely to be small (Code Red I was about 4 KB, and a highly malicious worm could easily be less than 100 KB, even allowing for a complex payload). Thus, at the start, the address list is much larger than the worm itself, and the propagation of the worm could be limited by the time re￾quired to transmit the host list out of the initial infection site or servers where it was stored. Since all the children of the infection will have much smaller lists to transmit, these later lists are less likely to limit the worm spread