300000 200.000 100000 Time(minutes Time(hours) nfected Machines Active worms Figure 7: The spread of three simulated worms in a popu- Figure 8: A closeup of the behavior of the Warhol worm tion of 300,000 vulnerable machines: (i a Code Red-like seen in Figure 7. The infection initially progresses rapidly worm capable of 10 scans/second, (ii) a faster scanning worm effectively all worms are actively scanning the net -but as in- capable of 100 scans/second, and (iii)a Warhol worm, capable fection rates near 100%, many worms have gone dormant, cor- of 100 scans/second, using a 10,000 entry hit-list and permu- rectly concluding that there are few vulnerable machines I tation scanning which gives up when 2 infected machines are maining and should therefore cease scanning discovered without finding a new target. All graphs stop at 99.99% infection of the simulated addres 15 minutes set of vulnerable machines. We used a 32-bit, 6-round Figure 8 shows in more detail the behavior of the Warhol ariant of RC5 to generate all permutations and random strategies. It gets a huge boost from the hit-list during the numbers first few seconds of propagation, quickly establishing it- self on the network and then spreading exponentially. As We can parameterize the simulation in terms of: the the infection exceeds the 50 number of vulnerable machines in the address space, begin recognizing that saturation is occurring and stop scans per second; the time to infect a machine, num- scanning. By the time the graph ends(at 99.99% of ber infected during the hit-list phase; and the type of the simulated population), most of the worms have gone secondary scan(permutation, partitioned permutation, silent, leaving a few remaining worms to finish scannin or random). The simulator assumes multithreaded scan- the last of the address spac To ensure that the simulator produces reasonable re- 4.4 Topological Scanning sults, Figure 6 shows a comparison between the simu lator's output and the model developed in Section 2, for a worm capable of 10 scans/second in a population of An alternative to hit-list scanning is topologically aware 300.000 vulnerable machines. The simulation results fit canning. which uses information contained on the vic- the model for K= 2.6 and T=5.52. This represents a tim machine in order to select new targets. Email worms worm which is slightly faster(less than 50%)than Code Red I ave used this tactic since their inception, as they harvest addresses from their victim in order to find new poten tial targets, as did the Morris worm(necessary because Figure 7 then shows how both faster scanning and the of the very sparse address space when was released) Warhol strategies affect the propagation time. The faster scanning worm(capable of 100 scans/second)reduces the infection time down to under an hour, while the com- Many future active worms could easily apply these tech- bination of hit-list scanning, permutation scanning, and niques during the initial spread, before switching to fast scanning, further reduces infection time to roughly a permutation scan once the known neighbors are ex hausted. An active worm local scanning. to-peer application could easily get a list of peers from0 100,000 200,000 300,000 0 1 2 3 4 6 7 8 Time (hours) Number of Instances Conventional Fast Scanning Warhol Figure 7: The spread of three simulated worms in a population of 300,000 vulnerable machines: (i) a Code Red-like worm capable of 10 scans/second, (ii) a faster scanning worm capable of 100 scans/second, and (iii) a Warhol worm, capable of 100 scans/second, using a 10,000 entry hit-list and permutation scanning which gives up when 2 infected machines are discovered without finding a new target. All graphs stop at 99.99% infection of the simulated address space. set of vulnerable machines. We used a 32-bit, 6-round variant of RC5 to generate all permutations and random numbers. We can parameterize the simulation in terms of: the number of vulnerable machines in the address space; scans per second; the time to infect a machine; number infected during the hit-list phase; and the type of secondary scan (permutation, partitioned permutation, or random). The simulator assumes multithreaded scanning. To ensure that the simulator produces reasonable results, Figure 6 shows a comparison between the simulator’s output and the model developed in Section 2, for a worm capable of 10 scans/second in a population of 300,000 vulnerable machines. The simulation results fit the model for K = 2.6 and T = 5.52. This represents a worm which is slightly faster (less than 50%) than Code Red I. Figure 7 then shows how both faster scanning and the Warhol strategies affect the propagation time. The faster scanning worm (capable of 100 scans/second) reduces the infection time down to under an hour, while the combination of hit-list scanning, permutation scanning, and fast scanning, further reduces infection time to roughly network, it is usually not reachable directly by a worm except through local scanning. 0 100,000 200,000 300,000 0 2 4 6 8 10 12 14 16 Time (minutes) Infected Machines Infected Machines Active Worms Dormant Worms Figure 8: A closeup of the behavior of the Warhol worm seen in Figure 7. The infection initially progresses rapidly— effectively all worms are actively scanning the net—but as infection rates near 100%, many worms have gone dormant, correctly concluding that there are few vulnerable machines remaining and should therefore cease scanning. 15 minutes. Figure 8 shows in more detail the behavior of the Warhol strategies. It gets a huge boost from the hit-list during the first few seconds of propagation, quickly establishing itself on the network and then spreading exponentially. As the infection exceeds the 50% point, some of the worms begin recognizing that saturation is occurring and stop scanning. By the time the graph ends (at 99.99% of the simulated population), most of the worms have gone silent, leaving a few remaining worms to finish scanning the last of the address space. 4.4 Topological Scanning An alternative to hit-list scanning is topologically aware scanning, which uses information contained on the victim machine in order to select new targets. Email worms have used this tactic since their inception, as they harvest addresses from their victim in order to find new potential targets, as did the Morris worm (necessary because of the very sparse address space when it was released) [Sp89, ER89]. Many future active worms could easily apply these techniques during the initial spread, before switching to a permutation scan once the known neighbors are exhausted. An active worm that attacked a flaw in a peerto-peer application could easily get a list of peers from